MBA white paper addresses basic online security fixes.

As concern about protection of personal information escalates, and as the statutory and regulatory compliance landscape becomes more complex, look for the demand on an organization's information-security program to intensify, according to a white paper published by the Mortgage Bankers Association (MBA).

The MBA Residential Technology Steering Committee (ResTech) paper, Basic Components of an Information Security Program, addresses basic security components that should be present in any financial services-related information-security program, explained Robert E. Story Jr., CMB, MBA's vice chair and chairman of MBA's Board of Directors Technology Steering Committee (BoDTech).

"As industry information security continues to develop rapidly, MBA feels it is critical to define a minimum set of objectives that small and midsized organizations can meet in order to execute an effective information-security program," said Story. "This concise and business-oriented approach will help organizations with limited resources achieve successful information-security practices."

The paper outlines common risks and mitigation approaches, specifically for small to midsized lenders, to help them secure sensitive and confidential customer information while complying with an ever-increasing number of related statutes and regulations.

"Regulators across all jurisdictions have issued guidance about protecting information, and made multiple audit requirements for it," the paper noted. "The unfortunate trend is for more regulation, not less."

The paper identifies eight major components of an information-security program:

* Acceptable use policy

* User access controls

* Physical security

* Personnel security

* Business continuity planning

* Compliance

* Third-party provider management

* Technology security

While the most difficult and expensive part of any risk-mitigation program is likely the implementation of technology to effectively execute information-security policies, the MBA paper recommends that companies establish a team or teams to represent business functions to ensure full implementation.

"Security is not the sole domain of IT [information technology]; it is the responsibility of the whole organization," stated the paper. "It is important to create a culture in which your personnel are both educated and actively involved in reducing the risks to your organization."