IT Security Controls

April 14, 2022 BY MQMR Blogger



What are a few vital IT Security controls that a mortgage lender should implement and perform an internal audit to test the controls are functioning properly?



Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts a company’s business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.


To best avoid exposing a company’s critical business data to risks, start with implementing these important prevention steps:

  • Up-to-date and Reputable Anti-Malware Software
    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
    • All assets should be remotely monitorable and regularly scanned for malware
  • Install the Latest Operating System Updates
    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.
    • Ensure that patch management for all assets can be remotely monitored, so that any assets without patches can be identified and addressed
  • Clean Desk Policies
    • Ensure that staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.
    • If employees choose (or are allowed) to print materials for use in their home office, said materials must be secured and/or destroyed in accordance with established company guidelines to protect company data and/or any PII, NPI contained within those materials.
  • Off-site Data Redundancy
    • Ensure that critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site.
  • Change Management
    • Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.
  • Create and Update Policies and Procedures
    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when itcomes to recovering from a disaster or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
    • Be sure to communicate any updates made to these documents as it relates to a remote work environment to employees, especially those that impact day-to-day operations, and provide additional training when and where necessary. Simply posting updated copies of these materials to a company intranet is not enough to ensure these materials have been received and understood.
  • Seek Reputable Vendors
    • Ensure all your vendors have the appropriate IT Security implementations in place.  Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
  • Assets
    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
    • Force password changes at a frequent basis (minimum every 90 days).
    • Force lock computers when idle for a certain time period.
    • Remove local admin rights so that employees cannot install software without IT staff intervention.
    • Implement two-factor authentication.
  • Use encryption for in transit and at rest.
  • Train Staff
    • Train staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may invite unsupervised visitors, are just a few commonsense reminders to train staff.
    • Keep employees informed of new discoveries and helpful awareness tactics, including the prevalence of scams related to COVID-19 or recent headline news.
    • For lenders and title/settlement providers, reinforce adherence to standard wire transfer protocols to protect against fraud.


One can never be too secure but starting with the shortlist above is a great step in the right direction.


Worried you've missed one of these best practices and might get hacked or need someone to perform an internal audit on your IT controls? Reach out to MQMR to schedule an IT audit and keep the bad actors at bay!