Cyber Security Begins with A Plan – Part Two

The mortgage industry can learn from other industries that are highly regulated and handle a great deal of NPI. Such as, The Life Insurance and Securities industries, which have a significant amount of requirements to comply with compared to any other industry. Agents, Advisors, BGA, BD, Medical Service providers, and Carriers handle NPI, PPI, financial, medical, educational information for which they are accountable. Here are some steps to help your organization build a simple but effective security plan:

A plan that will make you focus on your internal technology and controls for an internal operation or a good checklist for working with a Cloud vendor to enable compliance. Remember, you can outsource the technology or process, but not the liability. Also remember, this is only a guideline for educational purposes; for a complete Cyber Security evaluation please contact a certified Service Organization Controls, third-party evaluator.

Security Plan

Establish a Security Officer responsible for the company to oversee this process. At least one member should be an officer of the company (executive oversight). This individual needs to define and document its policies for the security of its system. Security policies are established and periodically reviewed and approved by a designated individual or group.

The entity’s security policies include, but may not be limited to, the following matters:


Classify data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights, access restrictions, retention, and destruction requirements. Appendix A lists the common items regarded as NPI.


Identify and document the security requirements of authorized users. Know who is authorized to add, change, communicate and delete NPI. Roles are a common practice in defining access privileges.

Assessing risks on a periodic basis. Organizations add or change how NPI is accessed (Social media, Emailed, Twitter, etc.) and should address the new risk and its solutions or policy change.

Preventing unauthorized access. Determine the User’s use of login and password, sharing of the same is not a good thing. Also, assess who has User access authority. When adding new users, modifying the access levels of existing users, and removing users who no longer need access.

Stay tuned. I’ll share more tips next week.