Security Best Practices: How to make it happen in your firm

Transcription

1 Security Best Practices: How to make it happen in your firm Bess Reynolds Laura Ward Ben Ruocco Real Estate Attorney IT Programmer/Audit Coordinator Network Administrator Our firm primarily practices in default-related legal services and creditor rights representation. We have over 34 years of experience with Default Servicing Guidelines and frequently undergo many client audits ranging from simple reviews to full assessments of our entire organization. Our Real Estate practice is no stranger to state and federal regulations and we offer our expertise to those striving for compliance with the CFPB and other organizations. 1

2 Best Practice #3: Adopt and maintain a written privacy and information security program to protect NPI Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies (and law firms) to develop a written information security program that describes the procedures they employ to protect Non-public Personal Information (NPI). The program must be appropriate to the Company s size and complexity, the nature and scope of the Company s activities, and the sensitivity of the customer information the Company handles. A Company evaluates and adjusts its program in light of relevant circumstances, including changes in the Company s business or operations, or the results of security testing and monitoring. Physical Security of NPI Network Security of NPI Disposal of NPI Disaster Management Plan Employee Training and Management Oversight of Service Providers Audit and Oversight of Policies and Procedures Notification of Security Breaches to Customers and Law Enforcement 2

3 Physical Security of NPI Building Access: Authorized Personnel Only Consider labeling private doors with signs which will direct visitors to the main entrance. 3

4 Physical Security of NPI Building Access: Visitors Use conference rooms for closings rather than your general work area. If you do, then visitors do NOT need to sign in. Use visitor logs to track who has been in your office as well as key areas like server rooms. This applies to contractors and janitors too. Check ID of visitors you are not familiar with. Use passes to identify visitors in your office. 4

5 Physical Security of NPI Building Access: Unruly Visitors Consider what might happen if a visitor becomes unruly or threatening. Call someone in a different location in the office and use a keyword that triggers them to contact the authorities. Have a secure area your staff can move to. Have other staff ready to help deflate the situation if possible. Install a panic button that will automatically lock other doors and/or call the authorities or others in your office. 5

6 Physical Security of NPI Building Access: Ideas for securing your office Receptionist (open office for visitors but has computer that needs to be locked to desk and has a screen shade; no files other than on computer screen unless they can be placed in a drawer) Conference Room (open office for visitors, contains no equipment except phone and no files) Loan Processor (locked office; contains equipment and files and can be secured at night) Attorney Office (locked office; contains equipment and files and can be secured at night) 6

7 Physical Security of NPI Building Access: Employees and Contractors Be sure to perform background checks on employees and contractors who will be performing work for you. Use Non-Disclosure Agreements (NDAs) and Security Acknowledgement Forms for employees and contractors who will be in your office for any length of time (including janitors). This ensures everyone understands the importance of security and confidentiality while in your office. Be sure to obtain new signatures annually. Collect keys and equipment when employees resign or are terminated. 7

8 Physical Security of NPI Building Access: Annual Acknowledgements In lieu of obtaining new signatures annually for our employees, we have them electronically acknowledge the NDA, Security Awareness, and all of our security policies. This cuts down on paperwork. 8

9 Physical Security of NPI Building Access: Keys Limit who has access and who has keys, especially master keys. Keep extra keys in locked cabinets. Emphasize keys are only to be used by the people to whom they were assigned (no sharing). Consider an electronic access system like key fobs. This way you can control access and maintain logs electronically. 9

10 Physical Security of NPI Building Monitoring: Cameras, motion sensors, alarms Consider cameras for entryways and motion sensors (with alarms) for first floor offices. Contract with a security company for alarms. Be sure computer monitors are facing away from first floor windows. 10

11 Physical Security of NPI Server Room: Environmental Controls Server room (data center) walls must extend from floor to ceiling and environmental controls must be in place (temperature, humidity, fire detection, water detection) This room should be secured separately from other areas and only a few employees should have access. 11

12 Physical Security of NPI Other Environmental Controls & Security Fire codes prohibit the use of items that could possibly start fires. No smoking inside the building No open flames such as candles No heaters No extension cords (user power strips with surge protectors) For areas where the general public or visitors will have access, it is a good idea to actually lock equipment down. 12

13 Physical Security of NPI Equipment Inventory: Maintain a list of all equipment (even equipment not in use) and the location of each item; examples are computers, printers, copiers, servers, monitors, etc. Small items like keyboard do not apply. Number each item and use inventory tags. Remember to make updates as you move equipment. Perform inventories annually; keep documentation including staff acknowledgements listing what equipment they have. 13

14 Physical Security of NPI Building Access Policies and Procedures: Visitors check ID, have them sign a log and wear a badge Unruly Visitors have a process and train your staff Employees perform background checks; have employees sign security forms and NDAs Termination Procedures be sure to collect keys and equipment from employees resigning or being terminated Vendors and Contractors check ID, have them sign a log and wear a badge; either escort them at all times or have them sign security forms and NDAs before they perform work in your office Keys consider electronic access with fobs Monitoring consider cameras at entrances and secure doors, motion sensors with alarms in ground floor offices; if you have a server room, be sure it has environmental controls in place; be mindful of fire codes Equipment Inventory be sure to maintain an inventory of all equipment and keys and perform an inventory annually; have staff sign acknowledgements that they are in possession of equipment/keys annually 14

15 Physical Security of NPI Files and Paper: Keep papers in files and not scattered loosely around the office. This will also keep visitors from seeing information accidentally. Image or scan as much as possible so that you have an electronic copy of your paper files in case documents go missing or in lieu of maintaining paper files. Original documents (if applicable) should be maintained in locked cabinets inside secure rooms with limited access. Mail handling? Yes, be thoughtful about opening and processing mail. Also be thoughtful about mailing papers out. Use certified mail or carriers like UPS/Fedex in order to track packages. 15

16 Physical Security of NPI Clean Desk Policy: Keep files and papers in locked cabinets or offices daily and secure the keys. Use stop signs to let people know you are on vacation or gone for the day. Do a sweep of the area each evening to ensure cabinets or offices are locked and nothing is left out on desks or printers/copiers or in shred boxes. Be sure to also log this information. 16

17 Physical Security of NPI 17

18 Physical Security of NPI Transporting Files: While attending hearings, sales, closings, etc, attorneys may have the need to carry client files with them. It is important to safeguard the information in those files while in transit. Be sure to use locked cases for carrying files and store them in the trunk if you have to leave them in the vehicle. When carrying the files with you, be sure they remain in your possession or lock them in a case if you plan to step out of the room they will be used in. 18

19 Physical Security of NPI Record Retention: There are many thoughts on the length of time you should keep client files. Some regulations require 7-10 years while others only require 3-5. Whichever term your firm adopts, be sure to have a policy and follow it. Storing Files: Your office may not have adequate storage for keeping files for any length of time. There are many off-site storage companies with strong security already in place to safeguard your files. Keep in mind that using an off-site storage facility means you are outsourcing this function and will therefore need to vet this company as you would any vendor or subcontractor (which we will discuss later). 19

20 Physical Security of NPI File Management Policies and Procedures: Files (define the contents) Imaging (list what software is used and the security methods) Original Documents (if applicable) and Secure File Room Mail Handling Clean Desk Policy Transporting Files Record Retention Storing Files (on-site or off-site) 20

21 Network Security of NPI Computer Access: Use your computers/equipment for business purposes only. Limit who has access to your computers. Do not let third parties or contractors have access to your internal network. This includes other agents visiting your office. We maintain a separate network for this purpose. Control who can make changes in your systems like adding/removing software, add/removing user accounts, etc. Assign accounts to individuals and do not share computer accounts. Use strong/complex password configurations such as 8-9 characters combining upper and lower case letters, numbers and special characters and change them every 90 days. Do not share passwords are leave them on desks or taped to computers. Lock your computer when you step away so that no one can see what is on your screen. Aim computers away from windows on the first floor. 21

22 Network Security of NPI Virus Protection: Be sure to have strong anti-virus software that is updated automatically. If using removable media is necessary, run scans on the media prior to using. The following items/practices can allow dangerous content and are therefore discouraged industry-wide: access to social networking sites and streaming sites for music connecting to a cell phone or ipod for music (bring a radio) removable media (thumb drives, CDs, USB devices, etc.) wireless access to your internal network 22

23 Network Security of NPI Vulnerability Testing: External penetration/vulnerability testing (PEN Test) can be done by purchasing inexpensive software which will ping your network for weak points and give you options for increasing your security. 23

24 Network Security of NPI and Internet: Define your and internet Acceptable Use Policy and train staff. Access to social networking sites and streaming sites for music should be prohibited. Make your policy very clear and prohibit personal use. Having a confidentiality banner that users must acknowledge each time they log in is a good reminder for staff. 24

25 Network Security of NPI Computer Configurations: If you re a larger firm, use Group Policy for setting up the majority of your users with the same privileges so that updates can be sent in batches. Review and test the monthly Microsoft updates before pushing them out. List whatever system configurations you use as auditors want to see a list of software on user machines and how confidential data is used in this software. They also want to see system level software or server hardening standards. Software Inventory: Maintain a list of all software, their licenses, and which users have which software. This is important for upgrading software. 25

26 Network Security of NPI Network Diagrams: Auditors want to see network diagrams even for the simplest networks. This conveys to them a sense of your understanding of where the data is residing or being transported. Wireless access to your internal network should be prohibited as there are too many vulnerabilities. Using a separate external network is the standard. 26

27 Network Security of NPI Mobile Devices: If you allow laptops and cell phones to connect to your network, then you should have a Mobile Device Policy. If you are NOT allowing laptops/cell phones, it is a good idea to add this to your security policies also. Laptops be sure they contain hard drive locks where users must use a password before getting to the operating system or software. Maintain anti-virus software and perform the monthly updates to software just like desktop computers. Cell phones Only allow company-owned cell phones with virus software to be used. Personal use of cell phones in the office where confidential data is stored or processed is a bad practice as images of computer screens can be captured. Control the use of thumb drives (or CDs) by scanning with anti-virus software first. Remote Access Limit connections to your internal network to users absolutely needing access and require multi-factor authentication such as a fingerprint scan or phone-call authentication in addition to entering a password. Be sure to use secure connections such as VPN which prohibits split tunneling. 27

28 Network Security of NPI Redaction: Electronic redaction is used with some imaging software and other software such as Adobe (PDF). Be sure to use redaction methods which actually strip the data rather than cover it up (which can possibly be removed). Manual redaction can also be used by printing the document, using a black marker or whiteout to strike through the text, then scanning the document back to your system. Most clients want the word redacted written/typed on top of the whiteout portion for clarity. 28

29 Network Security of NPI Never place NPI in the body of an unless you are sure the system is secure. If you are using a website that you must log into for access, then that is a secure method. Encryption: Encryption sounds very technical but is actually very easy. When encrypting a document, you are adding a password to open the document. Most software programs have password protection options. You can also encrypt a folder that contains many documents, using a compression method like WinZip or 7-zip. Adobe (PDF) File Zip Folder Whichever method you use, always send the password separately from the actual files you are protecting. If you are using a secure system, there is no need to encrypt (or password protect) the file you are sending. 29

30 Network Security of NPI Data/Computer Access Policies and Procedures: Users Only allow employees to access your system, not contractors, and control who can make changes to your system; assign accounts by user rather than sharing accounts. Logging In Use strong passwords, change them often and do not share them; do not store passwords on paper on your desk or taped to computers; lock your computer when stepping away. Virus Protection Use strong anti-virus software and update it frequently; perform vulnerability/penetration testing. /Internet Develop an Acceptable Use Policy and limit/prohibit visiting social networking sites. Network Setup Setup up users in group policy; perform patches/updates; define and list your software configurations at the user and system levels; maintain a software inventory; create a network diagram and prohibit wireless access. Mobile Devices Limit/prohibit cell phones near computers or files; scan thumb drives and CDs for dangerous content; use hard drive locks on laptops; use multi-factor authentication remote access. Redaction Decide which method is best for you and draft a policy. Encryption Safeguard data through by password-protecting files or folders or using a secure system. 30

31 Disposal of NPI Shredding Paper: Place papers containing NPI in locked shred bins rather than trash cans. Either shred them yourself or outsource this function being very careful to vet this vendor as they will have direct access to papers containing NPI. Cleaning Hard Drives: Prior to destroying or donating equipment, it is important to clean the equipment of any and all data and programs. Several software options are on the market that will wipe electronic devices. 31

32 Disaster Management Plan Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP): Think about what you and your staff would do in a disaster or emergency. Scenarios: fire, flood, hurricane, tornado, snow, power outages, one of your servers or your main computer was corrupted by a virus, disgruntled person came into your office and threatened to shoot or explode a bomb, etc. Develop a call tree of all of your employees. Make sure your staff knows who to call in any emergency. Perform drills/tests like fire drills. Document them. Do these at least annually. Document your business dependencies and develop plans for when they are interrupted (e.g. power goes out, Internet Service Provider goes down, etc.). Develop an Incident Response form or report for documenting events. These can be great training tools. Be detailed in what took place before and after. Have a plan, train your staff, test the plan, revise it, test it again 32

33 Employee Training and Management Staff Training/Management: Your staff needs to know more than just their job. Auditors will ask! Hold regular meetings or training sessions to review policies and procedures. Document those sessions and have staff acknowledge that they are aware of the policies, attended the training, and agree to abide by said policies. 33

34 Employee Training and Management Location of Training Materials and Policies: Be prepared to provide auditors with lists of trainings held during the year. Be sure your staff knows where training materials and policies are located. 34

35 Oversight of Service Providers Service Providers: Develop a policy for vetting ALL vendors and service providers. Place them into categories where you can assess risk by whether they will handle NPI or not (Level 1 dealing in no NPI up to Level 4 dealing in NPI directly). Auditors want to be sure you have done your due diligence in establishing relationships with your vendors and service providers. We check our vendors against the Freddie/Fannie Exclusionary lists, FHFA Suspended Counterparty Program, and the Office of Foreign Assets Control (OFAC) Specially Designated Nationals List. We require that they perform background checks on their employees. We require that they notify us of security breaches or customer complaints. We maintain a list of service providers we have approved and annually review this list. We also have a process for evaluating their services and reporting any incidents that may arise through the year. Examples of our services providers are our off-site storage facility, shredding company, background check provider, janitors, etc. 35

36 Audit/Oversight of Policies and Procedures Audit/Oversight: Maintain revision logs of all policies and procedures. Use revision dates in each document. Assign managers/attorneys to be responsible for reviewing all policies at least annually and submitting changes as necessary. Changes can be the result of regulation changes, client directives, changes to your business, etc. Example: Policy Name Revision Date Summary of Changes ABC Policy 2/15/2009 Added language to define ABC. 36

37 Notification of Security Breaches Notification: Either post your privacy and information security information on your websites or provide the information directly to clients. When a breach occurs, you should inform clients and law enforcement as required by law. Examples of breaches are: Data loss or leakage outside your network Stolen equipment containing confidential data Missing or stolen paper files Severe or catastrophic incident Be prepared with restoration scenarios in the above events. Some client may have procedures for you to follow in these instances. 37

38 Security of NPI Other Policies and Procedures: Disposal of NPI shredding and wiping computers Disaster Management Plan plan it, train on it, and test it Employee Training/Management document training Service Providers due diligence with all types of contractors Policies and Procedures revision logs and summary of changes Notification of Security Breaches inform clients and law enforcement 38

39 Conclusion Security is Everyone s Responsibility! Document what you do and do what you say you are doing. If you revise a process, be sure to revise the policy document. Continuously train your staff. Be prepared for audit time. You will be asked about all of the above. Helpful Links: NC Closing Attorney Best Practices Task Force - Real Estate Lawyers Association of NC - American Land Title Association - Consumer Financial Protection Bureau