McBride Financial Security Policy The following policy is in response to McBride Financial Service’s request to develop a security policy that will address its loan departments current needs as well as any issues that may arise involving online loan applications. McBride’s target market comprises of an upscale demographic. Most of the individuals that request mortgages through this company are professionals, retirees, and families purchasing their primary or secondary home. University of Phoenix, 2005) This is a market who is customarily aware of any changes to their personal information and/or financial records. Therefore securing this information is of extreme importance and essential to the longevity of McBride Financial Services. The new security policy for the loan department will include areas, such as: Physical Security, Data Backup, Account Access Controls, Training, and Non-Compliance. The implementation of McBride’s new electronic key cards provides an excellent source of control in the area of physical security.
Employees will now only have access to areas that they are authorized to there specific authorization level. Any unauthorized access to any area of any McBride facility will be punishable in accordance with McBride’s Non-Compliance Policy. A service charge may be assessed for access cards and/or keys that are lost, stolen, or are not returned. (The Trusted Toolkit, 2007) Lost cards will also be immediately deactivated at the release of a new card. Card access records and visitor logs must also be kept current for routine review based upon the needs of the company.
When processing a loan application, McBride is privy to a large amount of sensitive customer information including, but not limited to, the customers credit report. Therefore, the protection of this data is of vital importance. In order to protect data from loss, equipment failure, or intentional destruction, all mortgage applications and associated data will be backed up to magnetic tape as well as archived to a remote server daily. Magnetic tape back ups will be performed every evening (except for Sunday when tape drives will be cleaned and maintained).
All data backups will be perform only by an authorized member of McBride’s in-house IT department. Another way that McBride will now protect sensitive data is through account access controls. Passwords, encryption, and pertinent classification of data are a few measure that will be implemented to ensure this protection. Every procedure and process within McBride will be group into separate access levels and assigned an id. In conjunction with this id, all employees will be assigned a user id and password for logging onto any and every system within the company.
This user id will identify every employees personal authorizations within the company. This will limit and/or authorize there access within each application within the system. In addition there is now the ability to strictly monitor the activities of each account user for misuse or noncompliance to company policy. Any software that is not approved, manged, and/or supplied by McBride Financial Services is strictly prohibited. As a loan application processor, instant messaging and peer to peer programs are also prohibited. Email and full internet use is only accessible to upper management and executives.
In order for McBride to comply with regulations, such as: The Health Insurance Portability and Accounting Act (HIPAA), The Gramm-Leach-Bliley Act (GLBA), The Sarbanes-Oxley Act (SOX), and Massachusetts 201 CMR 17. 00, an immense amount of training is also necessary upon implementing these new policies. (The SANS Institute, n. d. ). In order to reduce legal risks, it is imperative that we thoroughly educate our users on this new security policy. This training will begin with a four hour training session relaying these new practices to all employees over the course of a week.
Thereafter there will be follow-up training sessions as management deems necessary to ensure that policy is being strictly adhered to. For the protection of the customer as well as McBride Financial Services, noncompliance to this new policy will not be tolerated. All employees are required to sign a Policy Acknowledgment Form stating that they have read, understood, and agreed to the guidelines expressed within this policy. If anyone suspects or is privy to a breach of security of any type, a Security Incident Report should be filed immediately.
Failure to comply with the terms of this policy is punishable to the fullest extent of the law. Conclusion This policy was created in the best interest of McBride Financial Services, its customers, and its employees. Though we cannot ensure that all will adhere to this new policy, we will rely on proper training and the consequences spelled out in our non-compliance agreement to aid in ensuring maximum safety to our customers and company. The measures mentioned above are just a few of the precautions that are being implemented.
Ideally, this policy will enhance McBride’s ability to provide its customers with the utmost satisfaction. References University of Phoenix. (2005). McBride Financial Services. Retrieved October 10, 2009, from https://ecampus. phoenix. edu/secure/aapd/cist/vop/Business/McBride/Internet/McBridePort. htm The SANS Institute. (n. d. ). SANS: Free Computer Security Resources. Retrieved October 10, 2009, from http://www. sans. org/security-resources. php The Trusted Toolkit. (2007). The Trusted Toolkit. Retrieved from http://trustedtoolkit. com/Documents/PhysicalSecurityPolicySample. pdf