Risk Management
Effective Date: March 18, 2020.Program Objective
MortgageTech maintains a comprehensive information security program (the “program”) to protect the security, confidentiality and integrity of consumer information and other information that is confidential and proprietary to MortgageTech, its employees, customers, suppliers, vendors and contractors (collectively, “confidential information”). The program is designed to:
- ensure the security and confidentiality of confidential information
protect against any anticipated threats or hazards to the security or integrity of confidential information - protect against unauthorized access to or use of confidential information that could result insubstantial harm or inconvenience to MortgageTech, its customers and consumers
- The program includes risk assessment activities, policies and procedures to manage and control the security of confidential information, and mechanisms to test the effectiveness of the controls, assummarized below.
Risk Assessment Activities
MortgageTech regularly identifies and assesses risks that may threaten the security, confidentiality andintegrity of confidential information. These risks include, but are not limited to:
- unauthorized access to or use of confidential information by employees and third parties
- unauthorized alteration of confidential information
- loss or theft of confidential information
Risk assessment activities also provide for the classification of information and securityrecommendations for communication of information, based on its sensitivity and importance, asconfidential, for internal use or for general use, taking into consideration factors such as:
- regulatory and legal requirements, including provisions of the Gramm-Leach-Bliley Act, theInteragency Guidelines Establishing Information Security Standards, the Interagency Guidanceon Response Programs for Unauthorized Access to Customer Information and Customer Notice,NCUA regulations, Section 404 of the Sarbanes-Oxley Act and related regulations;
- financial significance
- competitive advantage
- privacy considerations of individuals, customers, vendors and employees
- public relations
Security Controls
MortgageTech has policies, procedures, information systems and other arrangements in place to control the identified risks and achieve the overall objectives of the program. Information security controls are documented in electronic handbooks and policy/procedural manuals, and electronic databases throughout MortgageTech and cover multiple aspects, including:
-
Storage and Disposal of Records
- Documents containing confidential information are kept in file cabinets that are locked when not in use
- “Confidential — For Internal Use Only” labels are used on certain confidential documents
- MortgageTech’s records center is physically secured and access is limited to authorized personnel
- A records retention policy specifies the retention periods and destruction requirements forrecords (including electronic records)
- Documents are accounted for and tracked until ultimate destruction
- A shredding policy is in effect requiring all documents containing confidential information to be shredded
- Computer media is physically secured in Microsoft’s Azure cloud and backed up to an off-site disaster recovery facility
- Corporate data is backed up for recovery purposes. Backup files are physically secured in an off-site third party location
Physical Security of Facilities
- All program and data servers are maintained with the Microsoft Azure Cloud and are subject to Microsoft’s security which may be viewed at https://azure.microsoft.com/en-us/overview/trusted-cloud/
- Employees are required to log into the Mortgagetech network to obtain access to the servers
- No data is stored off the network
Data Security Practices, Policies and Standards
- Proper segregation of duties exists within MortgageTech’s IT department, including the functions ofcomputer operations, system software maintenance, network administration, databaseadministration, application programming, program change management, data entry and datasecurity
- Written security policies and procedures are provided to employees
- The IT security group independently administers user ID and password permissions
- The IT security group administers security awareness programs and issues security awarenessreminders to employees
- MortgageTech has a defined business resumption planning process and routinely conducts business continuity testing
- MortgageTech application source code is maintained in version control repositories
- Moves to production require a manager’s approval
- Testing is performed in a QA or test environment before new systems or system enhancementsare moved into production
- Platform updates and patches are identified, reviewed and installed, as appropriate
Access Controls
- Internal and external access to all computer files and systems is controlled by user IDs and passwords
- User access capabilities are configured with least privilege so that users have only the minimum access rights and privileges needed to perform their job functions. Access authorization requires management approval
- A security software tool is used to control access to data on the enterprise server
- The Human Resources department notifies the IT security group of all job changes, and access privileges are adjusted accordingly
- A weekly reconciliation process is performed to ensure revoked accounts are removed on a timely basis
- Employee passwords must include a prescribed minimum number of characters and must bechanged regularly
- A user’s account is locked after 3 unsuccessful logon attempts.Security Architecture and Hardware/Software Filtering
- Security alert management software is installed to detect security breaches, such as port scans,denial of service attacks and other external penetration attempts
- Data and network integrity software is installed on MortgageTech’s web servers
- MortgageTech has anti-virus policies and procedures. Anti-virus scanning is performed at the user’s desktop and the networked servers
- E-mails containing certain file types that may contain viruses are blocked
- Procedures are in place to respond to a network intrusion or virus attack
Security Monitoring
- MortgageTech’s Internal Audit department performs periodic security audits
- Failed logon attempts and certain other security-related events are logged and reviewed
- All network devices are monitored for performance and failure notifications are automatically sent to appropriate support personnel
- Unauthorized access to or use of confidential information will be reported promptly to the appropriate customer.
Exchange of Confidential Information
- MortgageTech maintains a Secure File Transfer System for delivery of confidential information electronically via the internet in encrypted format.
- MortgageTech encourages customers and other third parties to encrypt confidential information transmitted electronically over the internet to MortgageTech by using the Secure File Transfer System
- Practices are in place to verify the identity of callers (i.e., appropriate lender or borrower)before confidential information is disclosed over the phone
- Document routing software is used to deliver faxes to the appropriate destination
- Data received electronically from customers is archived in its original format.
Confidentiality Agreements and Policies
- MortgageTech’s privacy policy is contained on its web site
- MortgageTech maintains a Code of Business Conduct (the “Code”) and employee handbook whichinclude requirements for employees to protect the confidentiality of information received fromand prepared for customers, consumers, vendors, suppliers, contractors, as well as MortgageTech’s proprietary information. Employees must acknowledge the handbook provisions andperiodically are required to certify that they have complied with the Code
- Employees must sign an agreement that includes provisions restricting the use and disclosure ofconfidential information consistent with MortgageTech’s policies
- Vendors and other third parties who handle or have access to confidential information aresubject to a security risk assessment and monitoring by MortgageTech and must enter into confidentiality agreements restricting the use and disclosure of such information to the purposesfor which it is provided.
Program Administration
MortgageTech has an ongoing security awareness program to train employees regarding certain aspects of the information security program. The security awareness program includes new hire orientation, a security awareness handbook, periodic newsletter articles and e-mail announcements, employee surveys and contests, and training programs.
MortgageTech employees are instructed to report unauthorized or fraudulent attempts to obtain confidential information to the IT security group or MortgageTech’s General Counsel. Where appropriate, incidents are referred to the appropriate regulatory and law enforcement agencies.
MortgageTech monitors, evaluates and adjusts, as appropriate, the information security program in light of relevant changes in business arrangements, technology, the sensitivity of confidential information,and internal or external threats to the security, confidentiality and integrity of confidential information.