McBride Financial Services is in need of security policies for its loan department. These include the security of loan and customer documentation, proper disposal of records, firewalls and other technical safeguards, adequate training of staff, and compliance with local and federal mandates regarding information security for financial institutions. This three page papers outlines major areas for review and recommendations for mitigating risks.
McBride Security Policy
Security Policies and Recommendations for McBride Financial Services
McBride Financial Services has experienced increased consumer interest in its innovative and economical loan offerings and terms. With rising competition in the market, McBride is now aggressively working to boost market share through a renewed focus on customer service and simple and speedy loan processing (Fluss, 2009). While many automated processes in the financial sector can be convenient for customers, they can also present unique and significant security risks for companies (Compton, 2004). The following policies are aimed at covering certain critical security areas for the loan department at McBride Financial Services.
General Information Security
Sensitive information can be defined as a customer's full name, address, phone number, credit information, social security number, date of birth, mother's maiden name, employment and salary information, username/passwords combinations, or PIN ids (Bilich, 2000). All such information should be stored securely in order to help ensure confidentiality and thwart misuse, fraud, theft, and customer privacy violations.
All computer networks should receive a comprehensive review for reasonably foreseeable threats. These may include both internal and external threats such as unauthorized disclosure; misappropriation or alteration of customer information or accounts; improper disposal of sensitive information; unauthorized access to systems; work with third party vendors or service providers; and improper destruction of outdated electronic data and storage systems (Garratt & Keister, 2009).
Technical firewalls should be implemented, with consideration given to the many ways in which data systems can potentially be accessed from outside the institution (Compton, 2004). Proper risk assessments should be conducted to strengthen potential areas of weakness posed by Internet connectivity. Both automated and manual processes should undergo a thorough and routine security audit to identify areas of vulnerability (Garratt & Keister, 2009).
Security Controls
Information security controls should be instituted to address any risks exposed during assessment (Ferreira & Andrade, 2011). Loan processing is primarily a back-office operation. At a fundamental level, back offices repetitively process large volumes of transactions. These processes can be simple steps such as posting payments, or complex, multi-step, multi-touch processes that span lengthy timeframes such as complex mortgages (Fan et al., 2010). The individuals involved in loan processing are many -- data entry clerks, loan agents, loan processors, accounts payable processors, closing agents, and loan officers.
Access controls that include passwords and classification levels should be implemented to allow only authorized individuals to view customer information and file management databases (Menconi & Desmond, 2000). In addition, access history should be recorded to allow the organization to monitor an employee's retrieving, downloading and sharing of sensitive records and other forms of data. Encryption for data in transit over networks will help safeguard sensitive information. All computer systems should feature anti-virus, Trojan detection, and other comparable safety measures to immediately quarantine and delete intrusive software or other attacks upon computer network (Ferreira & Andrade, 2011).
Paper records including loan applications, credit reports, and customer employment records should be properly discarded by shredding (Britt, 2005). Similarly, obsolete and sensitive computer-based records should undergo proper media disposal and erasure processes. Access to physical locations where sensitive information is housed (i.e., files, vaults, or storage areas) should also be restricted and monitored through a key card system.
Personnel Training
Staff must be trained to recognize and respond to any perceived attempt by coworkers, customers or outside parties to commit identity theft and/or fraud (Homann, et al., 2004). Employees must be properly taught in proper usage of computer systems and local area networks (LANs). This spans computer security protocol such as password settings, and other everyday tasks such as the proper handling, storage and disposal of customer information (Garratt & Keister, 2009).
Personnel should also be educated in state and federal mandates regarding security standards for financial institutions. Compliance with The Sarbanes-Oxley Act, The Gramm-Leach-Bliley Act, and The Health Insurance Portability and Accounting Act can help reduce legal risks (Bilich, 2000). Employees that will work with sensitive information should complete mandatory trainings regarding such policies and guidelines. By offering personnel specialized education in these areas, McBride Financial Services will position them as a front-line defense in protecting customer information. The company must also adopt, communicate and enforce a zero-tolerance employee policy for non-compliance of such mandates, as well as for any fraud activity or ethical misconduct in regards to financial records.
You’re 86% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.