550 likes | 648 Views
Stewart Policy Templates Part 3 “Your Compliance Quick Start”. June 25, 2013. Now Presenting Gloria Prinz.
E N D
Stewart Policy Templates Part 3“Your Compliance Quick Start” June 25, 2013 Now Presenting Gloria Prinz
The information provided in this webinar and any printed material is informational purposes only. None of the forms, materials or opinions is offered, or should be construed, as legal advice, accounting, tax, or other professional advice and services. As such, no information, forms, opinions and materials should be used as a substitute for consultation with professional accounting, tax, legal or other competent advisers. Communication of information by or through these means and your receipt or use of such information and forms is not to be construed as legal advice or to constitute an attorney-client relationship. You should not act or rely upon information or use the forms contained in these materials without specifically seeking competent professional advice. Additional resources that may be referenced in the following presentation or materials are offered merely as a convenience to participants with no guarantees made as to the applicability or validity of the third-party content. We do not take any responsibility for nor do we warrant the content, accuracy or timeliness of referenced websites, articles, books, events, etc.; nor do we endorse any commercial products that may be advertised or available on those sites. Stewart endeavors to comply with all applicable legal and ethical requirements when providing information to industry participants. Any questions or concerns regarding the information outlined in this disclaimer, presentation or materials should be directed to AgencyServices@stewart.com. Now Presenting Gloria Prinz
Today’s Speakers Now Presenting Gloria Prinz
Today’s Agenda Now Presenting Gloria Prinz
CFPB Update • Mark September on your calendar – Final Rule • Bureau coordinating with Federal regulators • Plain language guides and videos coming soon • “Readiness guides” with checklists and in-depth exams • Qualified Mortgage – January effective date Now Presenting Marvin Stone
Independent Agency Perspective • ALTA/MBA Roundtable Meeting on Best Practices held on June 4th • Consensus - ALTA Best Practices are an excellent start • Tiering of Independent Agencies by size • Self Assessment – Be Proactive • Turn time on getting title policy to lenders • Clean Desk Policy • Stewart Trusted Provider Success Stories Now Presenting George Houghton
Stewart Policy Templates Policies and procedures for your agency to customize and deploy for a compliance quick start 1. Account Management Policy 2. Acknowledgement 3. Anti-Virus Malware Policy 4. Application Security Policy 5. Backup and Media Retention Policy 6. Business Continuity Policy 7. Customer Complaint Form 8. Customer Complaint Policy 9. Data Retention Policy 10 External Audits Policy 11. Instant Messaging Policy 12. IT Security and Computer Usage Policy 13. Managing Exceptions Policy 14. Managing Exceptions Process 15. Mobile Devices Policy 16. Non-Public Information Security & Disposal Policy 17. Password Policy 18. Policy Exception Request Form 19. Privacy & Information Security Audit/Oversight Policy 20 Remote Access Policy 21 Security Incident Response Policy 22. Security Training and Awareness Policy 23. Social Media Policy 24. Standards of Conduct Policy 25. Title Insurance and Settlement Services Policy Now Presenting George Houghton
Account Management Policy Now Presenting Lisa Nelson-Morris
Account ManagementWhy is access control so important? • To keep your company’s information private and secure, best practices the following: • Always practice least privilege - Users should only have access to the information needed to perform their job duties • Discretionary access control (DAC) – Allows the owner of the resource (information/application) to determine which users should have access to specific information and/or applications • Role-based access control (RBAC) – roles of the associates are clearly defined along with the associated access levels required to perform job functions associated with each role Now Presenting Lisa Nelson-Morris
Account ManagementAccess Control is the #1 Audit Control • For your audit: • Have updated job descriptions on file • Have proof of manager’s approval for access • Conduct access reviews for financial applications at least annually • Ensure transferred employees are handled appropriately Now Presenting Lisa Nelson-Morris
Account Management“Keys to the Data Kingdom” Now Presenting Lisa Nelson-Morris
Account Management“Keys to the Data Kingdom” • Administrator Access • Elevated level of access above that of a normal user • Elevated or “Admin” access should be used only in the support of the business function (i.e. support of the business application and/or business process) • May support or maintain servers or computer systems • May perform programming or script development • May maintain databases or network infrastructure • May maintain web services • May maintain back up media services • Understand the risks associated – ALWAYS practice least privilege! Now Presenting Lisa Nelson-Morris
Account ManagementSeparation of Employment • One of the biggest security threats companies face is the terminated or disgruntled employee • Has the ability to inflict damage through • Knowledge of your inner office processes • Knowledge of your business functions • Knowledge of your applications • Knowledge of your business contacts • Knowledge of your staff & their personal information Now Presenting Lisa Nelson-Morris
Account Management Separation of Employment • Disallow employee access • Disallow employee access to computers or company files at point of termination • Disable user access to all business systems ASAP • Computer, network, data and remote access • Collect company devices: • Laptop, cell phones, iPads, etc. • Verify company information has been successfully removed from devices • Litigation Possibility? • Notify legal council for guidance • Notify IT department immediately to insure no critical data is lost Now Presenting Lisa Nelson-Morris
Account Management Wrap Up • Document policies & processes addressing: • Account authorization • Who approves required access levels for employees? • Administrator access requirements • Who needs it? • Why do they need it? • Transferring associates • Make sure the transferring associate only has access to what is needed to fulfill their NEW job duties; disable all other access • Terminations • Ensure user access is disabled in a timely manner • Ensure Admin access is disabled as quickly as possible Now Presenting Lisa Nelson-Morris
Mobile Device Policy Now Presenting Larry Lotspeich
Mobile Device Policy Now Presenting Larry Lotspeich
Mobile Risks • Mobile devices are • very personal • often shared with non-business associates • used more and more for business transactions • Are not always owned by you (BYOD) • Capabilities vary greatly per device • Mobile applications pose greatest risk Now Presenting Larry Lotspeich
Minimizing Risk With Mobile • Secure business data stored and transmitted • Require passwords and encryption where needed • Define data ownership • Lost and stolen devices will happen • Implement the ability to remote wipe sensitive data • Train associates to report lost devices • Standardize technology • Manage the device lifecycle • Provisioning • Transfer • Decomission Now Presenting Larry Lotspeich
Business Continuity Policy Now Presenting Lisa Nelson-Morris
Business Continuity PlanningWhy it’s important……. • Allows for the luxury of “pre-planning” for an event • Cuts down on confusion and panic • Provides detailed instructions as to what steps need to be taken and who is responsible for each step • Reduces your office downtime • Minimizing financial loss and customer confidence • Builds customer and stakeholder confidence • Ability to respond quickly and maintain control of business functions • Safeguards your company’s reputation Now Presenting Lisa Nelson-Morris
Business Continuity – Be Prepared!! Fire Flood Fire Flood Blizzard Hurricane Earthquake Now Presenting Lisa Nelson-Morris
Business Continuity PlanningAreas of Responsibility • Recovery Director • Responsible for overall implementation of BCP and providing direction to Lead(s) • Lead (alternate for Recovery Director) • Can be assigned to specific area(s) (i.e. accounting dept., closing dept., IT dept., etc) • Responsible for providing direction and communication to Alternate Lead and assigned areas • Member – all other employees Lisa Nelson-Morris Now Presenting Lisa Nelson-Morris
Business Continuity Planning Emergency Contact Information (All hands on deck!!!) • All office personnel • Home, mobile & alternate email address if available • All vendors/suppliers • Building maintenance • Office supplies • Leasing agent • All service providers • Police, fire, ambulance • Utility companies • Insurance carrier • Mail Service (USPS, FedEx, UPS Now Presenting Lisa Nelson-Morris
Business Continuity PlanningInformation Technology Recovery • Back Up Media • Should be stored off site or to a remote server • Key personnel should know where data is stored and have the ability to restore the systems quickly • Back Up Power • Generators • Fuel Availability • Best utilization of generator Now Presenting Lisa Nelson-Morris
Business Continuity PlanningAlternate Locations & Essential Equipment • Essential Equipment • Equipment vendor information • Laptops, desktops, applications, fax & printer, scanners & copiers, telephones, break room appliances, etc. • Office Supply vendor information • Alternate Locations • Another Local office • Hotel Conference Room Now Presenting Lisa Nelson-Morris
Business Continuity Planning – Wrap Up Your Plan Should Contain the Following: • Office Personnel Contact List • Possible Alternate Locations • or Property Leasing Agent Information • Communication Plans • Employees, Customers & Vendors/Service Providers • Critical Business Systems • Application requirements (admin, escrow, title, accounting, etc.) • RTO (Recovery Time Objective) – amount of time required to recover the system • RPO (Recovery Point Objective) – maximum amount of critical data that can be lost • Equipment requirements (computers, phones, printers, fax, scanners, etc.) Now Presenting Lisa Nelson-Morris
Business Continuity PlanningWrap Up • Vital Records • Hardcopy & Electronic • Client & Vendor List • Contact names • Contact phone • Contact Email • Services List • Emergency Responders (fire, police, ambulance) • Insurance Carriers and contacts • Building leasing and maintenance • Office Supplies, Computer Suppliers, Couriers, USPS • Phone Service Provider • Utilities Provider Now Presenting Lisa Nelson-Morris
Business Continuity PlanningWrap Up Train your employees on “the plan” • All employees should “know” the plan • Understand their role • Understand their responsibilities • Know where to find the plan • Re-train existing employees annually at a minimum • Train in-coming employees • Review “the plan” • Outdated plans are useless • much like having an outdated insurance policy • Review your plan annually at a minimum • Business functions change; your plan will also change Now Presenting Lisa Nelson-Morris
Business Continuity PlanningWrap Up Stewart University • Business Continuity Plan Template • Business Continuity Preparation & Response Plan Now Presenting Lisa Nelson-Morris
Instant Messaging Policy Now Presenting Larry Lotspeich
Instant Messaging Policy Now Presenting Larry Lotspeich
Controlling Business Communications • IM is a communication channel for your business • Insecure IM can be intercepted by 3rd parties • IM can be used to leak sensitive business information • IM can bring in malicious files and internet links Now Presenting Larry Lotspeich
Making IM Productive • Define and communicate acceptable use • Business use versus personal use • Define your technology requirements • What IM clients are supported / allowed? • Is encryption required between internal clients? • Is encryption required for external IM connectivity? • Define your audit requirements • Do you need to retain IM conversation records? • For how long? • Who can access the IM logs? • Who has to approve requests to view logs? Now Presenting Larry Lotspeich
Social Media Policy Now Presenting Larry Lotspeich
Social Media Policy Now Presenting Larry Lotspeich
Today’s Workplace • Generation Y workers • Grew up with technology • Prefers to interface electronically • Used to documenting everything they do online • Often does not correlate the risks with sharing • Business wants to be socially adaptive • Employees can help or hurt brand • Employees need to know boundaries Now Presenting Larry Lotspeich
Social Guidelines • Define what social media is • Give examples of popular services • Define professional vs. personal use • Define reasonable personal use • Acceptable sites and time spent • Define acceptable standards of conduct Now Presenting Larry Lotspeich
Process License Agreement • Log onto Stewart’s CFPB website • Download license agreement • Complete and sign • Scan to .pdf Now Presenting Rebecca Dodds
Process License Agreement Submit License Agreement • Email to agencyservices@stewart.com • Attach .pdf of signed agreement • Agency Services processes agreement Now Presenting Rebecca Dodds
Process License Agreement Submit License Agreement Obtain Templates • New licensees: • Watch for email from Stewart University • Log onto Stewart University • Launch Policy Template course • Download templates from Attachments Now Presenting Rebecca Dodds
Obtain Templates • Existing licensees: • Log onto Stewart University • Click Completed Tab • Launch Policy Template course • Download new templates Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds
Now Presenting Rebecca Dodds