CIC Mortgage Credit, Inc.
Information Security Policy and Guideline
Effective security is a team effort involving the participation and support of every CIC Mortgage Credit, Inc (the “Company”) user and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and policies, and to conduct their activities accordingly. The Company respects the privacy of the consumers whose information is contained in the credit histories and other products and services we offer to our customers. We are committed to protect the personal information we use.
The Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP are the property of CIC Mortgage Credit, Inc.. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of our normal operations.
The Company’s Management has approved this Policy and these Guidelines. It is your responsibility to fully understand your obligations and responsibilities under the Information Security Policy, these Guidelines and the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (“FCRA”) and any other federal or state statutes which apply to the services and products we provide.
The purpose of this policy and these guidelines is to outline the Company’s Information Security Policy, the acceptable use of computer equipment and to establish the standards for the use of personally identifiable information used by the company, its employees or associates, service providers and subscribers. These rules are in place to protect the user, the Company, as well as the individuals whose personally identifiable information is being used. Inappropriate use or violation of these rules may expose the Company to risks, including virus attacks, compromise of network systems and services, damage to brand and reputation, and other legal risks. Inappropriate use or violations of these rules may also result in disciplinary actions being brought against the user, including termination of employment or other appropriate actions.
This policy applies to employees, contractors, consultants, temporaries, and other workers at the Company, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the Company. This policy also applies to all devices that connect to the Company’s network.
This policy applies to information or data stored or shared via any means including electronic information, information on paper, and information shared verbally or visually (such as telephone, whiteboards and video conferencing). This policy requires specific behavior by users when dealing with personally identifiable or sensitive data.
This policy applies to our subscribers who are given access to credit information or other sensitive and personally identifiable consumer information, regardless of the source of such information.
The Company’s personnel are encouraged to use their best judgment in always protecting credit information and other sensitive and personally identifiable information such as Social Security numbers, credit card or other account numbers, drivers’ license numbers or other sensitive information. Appropriate protection may exceed the minimum required by this policy.
A. General Use and Ownership
1. Users should be aware that the data they create, for personal or business use, on the corporate network, remains the Company’s property. Because of the need to protect the Company’s network, management cannot guarantee the confidentiality of information stored on or transmitted through any network device belonging to the Company.
2. Any information that you consider sensitive or vulnerable should be encrypted.
3. For security and network maintenance purposes, authorized individuals within the Company may monitor equipment, systems and network traffic at any time.
4. The Company reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy and these guidelines.
5. Consumer information offered by or through the Company must be used appropriately and for specific purposes. Users will not obtain any credit or other consumer information on themselves or their associates, or any other person except in the exercise of their official duties.
6. Our subscribers can only use credit reports for the specific following conditions:
a. As a factor in establishing a consumer’s eligibility for a new or continued credit;
b. Collection of an account;
c. Insurance (for underwriting purposes ONLY);
d. To determine the eligibility for government license or benefit;
e. Employment purposes;
f. In connection with a legitimate business transaction involving the consumer.
7. The Company will ensure that its subscribers have a “permissible purpose” under the FCRA before ordering consumer report information. A permissible purpose includes the following:
a. The subscriber intends to use the information as a potential investor, servicer, or current insurer in connection with a valuation of, or assessment of, the credit or prepayment risks.
b. The subscriber has a legitimate business need in connection with a business transaction that is initiated by the consumer.
c. The subscriber intends to use the information in connection with written instructions of the consumer to whom it relates.
d. The subscriber intends to use the information in connection with a collection transaction involving the consumer for the collection of an account of the consumer.
e. The subscriber intends to use the information in response to an agency administering a state plan under Section 454 of the Social Security Act (42 U.S.C. 654) for use to set an initial or modified child support awarded.
f. The subscriber intends to use the information in accordance with written instructions of the consumer through a reseller.
g. The subscriber intends to use the information in response to a request by the head of a state or local child support enforcement agency (or a state or local government official authorized by the head of such an agency) that has met all requirements of Section 604(a) (4) (A, B, C, D).
h. The subscriber intends to use the information in connection with a credit transaction involving the consumer and for the extension of credit or review or collection of an account of the consumer.
i. The subscriber intends to use the information in connection with employment purposes.
j. The subscriber intends to use the information in connection with a determination of eligibility for a license or other benefit granted by a governmental instrument required by law to consider financial responsibility or status.
k. The subscriber intends to use the information in connection with the underwriting of insurance.
l. The subscriber intends to use the information in connection with the review of existing policy holders for insurance underwriting purposes.
m. The subscriber intends to use the information in connection with a legitimate business need to review an account to determine whether the consumer continues to meet the terms of the account.
n. The subscriber intends to use the information in response to the order of a court having jurisdiction or a subpoena issued by a federal grand jury.
o. The subscriber intends to use the information in connection with a tenant screen application involving the consumer.
p. The information will be used by a governmental agency pursuant to FCRA Section 608.
q. The subscriber intends to use the information to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
r. The subscriber intends to use the information for required institutional risk control or for resolving consumer disputes or inquiries.
s. The subscriber intends to use the information in connection with holding a legal or beneficial interest relating to the consumer.
t. The subscriber intends to use the information for law enforcement agencies or for an investigation on a matter related to public safety.
u. The subscriber intends to effect, administer, or enforce a transaction to underwrite insurance at the consumer’s request, for reinsurance purposes or for the following purposes related to the consumer’s insurance: account administration, reporting, investigating, fraud prevention, premium payment processing, claim processing, benefit administration or research projects.
v. The subscriber intends to use the information in connection with persons acting in a fiduciary or representative capacity on behalf of, and with the consent of, the consumer.
w. The subscriber intends to use the information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, including location for collection of a delinquent note.
x. The subscriber intends to use the information in conjunction with access to a commercial file on a sole proprietorship.
y. The subscriber intends to use the information in conjunction with access to a commercial file on a corporation, where specific consumer consent is given.
z. The subscriber intends to use the information in conjunction with a credit transaction involving the extension of credit to, or review or collection of an account of, the consumer, where the medical information to be furnished is relevant to process or effect the transaction, and specific consumer consent was provided for the furnishing of the consumer report that describes the use of the consumer report that describes the use of which the medical information will be furnished.
aa. The subscriber intends to use the information in conjunction for employment purposes, where the medical information to be furnished is relevant to process or effect the transaction, and specific consumer consent was provided for the furnishing of the consumer report that describes the use for which the medical information will be furnished.
bb. The subscriber intends to use the information in connection with the underwriting of insurance and specific consumer consent was given for the release of the medical information contained within the consumer report.
B. Security of Information
1. All devices connecting to the company’s network must comply with all appropriate policies and standards.
2. The user must take all necessary steps to prevent unauthorized access to the Company’s data, as well as to any personally identifiable or other sensitive information related to consumers or credit histories, or otherwise contained in any of the company’s products or services.
3. All passwords must be kept secure and may not be shared. Accounts may not be shared. Authorized users are responsible for the security of their passwords and accounts. System level passwords and user level passwords must be changed every ninety days.
4. All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging off when the device will be unattended.
5. Use of encryption must comply with the requirements of this policy and these Guidelines.
6. Every user assigned a company asset is responsible for ensuring the protection of that equipment while in their possession. This includes the use of computer lockdown cables and other security devices. Laptops left at the company overnight must be properly secured or placed in a locked drawer or cabinet. All theft of the Company’s assets must be promptly reported to the company.
7. All paper files containing sensitive or personally identifiable information shall be kept secure and not left on a desk or in an open file cabinet or drawer while unattended. All such paper files and documents left at the company overnight must be properly secured or placed in a locked drawer or cabinet. They shall not be left on desks overnight unless the desk is located in a room that can be securely locked. Sensitive information such as credit histories, Social Security numbers, drivers’ license numbers or similar information shall always be placed in a locked drawer or cabinet and shall never be left on desks overnight.
8. All devise used by the user that are connected to the Company’s network must use the most up-to-date anti-virus and anti-spyware software.
9. Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
10. Users may not load personal or unapproved software or other applications to any device connected to the Company’s network. Only software or applications approved and purchased by the company may be loaded on any device attached to the Company’s network.
C. Security of Information Systems
The following activities are, in general, prohibited. Users may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administrative staff may have needed to disable the network access of a device if that device is disrupting production services).
Under no circumstances is a user of the Company authorized to engage in any activity which is illegal under local, state, federal or international law while utilizing company-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed or owned by the company.
2. Unauthorized duplication of copyrighted material.
3. Intentional introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.)
4. Revealing your account password to others or allowing the use of your account by others. This includes family and other household members when work is being conducted at home.
5. Effecting security breaches or disruptions of network communications. Security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties approved by the company. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
6. Port scanning or security scanning is expressly prohibited unless prior notification is given to the Company.
7. Executing any form of network monitoring which will intercept data not intended for the user’s device, unless this activity is a part of the user’s normal job/duty.
8. Circumventing user authentication or security of any device, network or account.
9. Escalating privileges or in any way circumventing the authorization restrictions imposed by a system.
10. Escalating privileges or in any way circumventing access restrictions that you have been given by the Company by an authorized individual.
11. Interfering with or denying service to any user other than the user’s device (for example, denial of service attack).
12. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet / Intranet / Extranet.
13. Providing information about, or lists of, the Company’s customers or subscribers to any parties outside the Company unless approved by the Company.
14. Providing consumer data, credit history information or other sensitive data to anyone outside the Company unless that party is an authorized customer or subscriber of the Company.
15. Interfering with, attempting to bypass, or disabling network and device security systems.
16. Accessing consumer data, credit histories or other sensitive information for personal purposes of any kind. This prohibition includes accessing your own personal consumer data or information or that related to an individual such as a friend, family member or acquaintance, or any other individual, for other than specifically permitted purposes authorized by the Company.
17. Continuing to use passwords or Company equipment or other devices connected to the Company network for any purpose after your access has been revoked or your employment with the Company has been terminated.
5.0 Access to Information
A. Access to information and resources is granted for business need only.
B. The ability to access a piece of information or personal data due to technical access controls (i.e., file rights) does not imply authorization for access
C. Technical access controls should be limited to authorized access (i.e., file access rights should match authorized use when practical).
D. Authorized access is ultimately determined by Mike Thomas, Trish Pendleton, William Meeker, and/or Eric Wimsatt.
E. All consumer information and other sensitive information must be physically maintained to minimize unintentional disclosure, alteration or loss:
1. Keep documents and information from unauthorized view.
2. Do not leave documents unattended on desks.
3. Store documents and media in locked drawers and cabinets.
4. Physically and screen-saver lock computers when not in use.
5. Protect all materials from loss or theft, and all other reasonable protections based on user’s best judgment/
6. Never share sensitive or confidential information with another individual (including a Company employee) unless you have previously verified that they are authorized and have a business need for access to the information.
7. Sensitive documents and confidential personal information should be properly destroyed when no longer needed. Proper destruction methods prevent simple recovery by electronic means such as “undelete” utilities or physical means such as “dumpster diving.” The Company and all employees shall comply with the FTC’s Final Rule on the Disposal of Consumer Report Information and Records, 16 CFR Part 682.
6.0 Employee Responsibilities
This section is an attempt to summarize some of the main responsibilities for employees. It is by no means complete, and each employee should refer to individual policies or to Management if they are unsure as to their responsibility in a particular area.
A. Each employee:
1. Shall be responsible for all computer transactions that are made with his/her User ID and password.
2. Shall not disclose passwords to each other. Passwords must be changed immediately if it is suspected that others may know them. Passwords should not be recorded where they may be easily obtained.
3. Will change passwords at least every 90 days.
4. Should use passwords that will not be easily guessed by others.
5. Should log out when leaving a computer for an extended period of time.
6. Storage media should be stored out of sight when not in use. If they contain sensitive or confidential data, they must be locked up.
7. Storage media should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields.
8. Critical computer equipment, e.g., file servers, must be protected by an uninterruptible power supply (UPS). A surge suppressor should protect other computer equipment.
9. Environmental hazards to hardware such as food, smoke, high or low humidity, or extreme heat or cold should be avoided.
10. Disconnections, modifications or relocation of the Company’s equipment is not to be performed by individual employees unless that is a part of their specific job duties. This does not apply to temporary moves of portable computers for which computer or contractor staff has set up an initial connection.
11. Employees should not take shared portable equipment such as laptop computers out of the office without the informed consent of their Manager. Informed consent means that the manager knows what equipment is leaving, what data is on it, and what purpose it will be used for outside of the office. Any data containing personal consumer information shall not be removed from the office for any reason.
12. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result.
B. Employees shall not:
1. Install software unless authorized by Management. Only software that is licensed to or owned by the Company is to be installed on the Company’s computers or equipment.
2. Copy software unless authorized by Management.
3. Download software unless authorized by Management.
C. Privacy: Certain individuals may have access to users’ private information. These individuals are required to protect the confidentiality and integrity of this information and may not disclose such information unless within the authorized performance of the individual’s duties.
D. Mike Thomas shall be responsible for the administration of access controls to all company computer systems. Mike Thomas, or his designee, will process adds, deletions, and changes upon the written request from the end user’s supervisor or Management. Deletions may be processed upon oral request prior to the reception of the written request. Mike Thomas will maintain a list of administrative access codes and passwords and keep this list in a secure area.
E. The confidentiality and integrity of data stored on the Company’s computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each employee’s specific job duties.
F. Mike Thomas shall maintain records of software licenses owned by the Company. Periodically (at least annually), Mike Thomas or his designee, shall survey or scan the Company’s computers to verify that only authorized software is installed.
G. Managers and supervisors should notify Mike Thomas whenever an employee leaves the company or changes job position so that his/her access can be revoked or changed as appropriate. Involuntary terminations must be reported concurrently with the termination.
Any employees found to have violated this policy or these Guidelines may be subject to disciplinary action, up to and including, termination of employment or by appropriate legal action. Any violation of this policy or these Guidelines by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with the Company and/or other appropriate legal action.
8.0 Security Assessments and Audits
A. Periodic assessments and/or audits of system security will be performed on a schedule to be determined by Management. These assessments and audits will include the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information
B. The assessment of the sufficiency of any safeguards in place to control these risks.
C. The risk assessment must include, at a minimum,: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions or other systems failures.
D. The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.
E. The evaluation and adjustment of the information security program in light of the results of the testing and monitoring.
F. The evaluation and adjustment of the information security program in light of any material changes in operations or business arrangements.
G. The evaluation and adjustment of the information security program in light of any other circumstances known or which the Company has reason to know may have a material impact on the effectiveness of its information security program.
H. These assessments or audits will be performed as necessary, but at least once annually. The audits happen randomly each quarter.