User identification and authentication

All users must have a unique user identification (ID) and adhere to strong password requirements. Multi-factor authentication (MFA) will be enforced for accessing sensitive systems and data.

User account management

User account creation, modification, and removal should follow defined procedures. Access privileges will be granted based on job requirements, and access permissions will be reviewed regularly.

Least privilege

Users will be granted only the minimum necessary access rights to perform their job functions.

Secure remote access

Remote access to the company’s systems and networks should be authorized and protected through secure Virtual Private Network (VPN) connections or other approved methods. Remote access users must adhere to the same security policies and controls as on-site users.

Mobile device usage

Users accessing company resources through mobile devices must comply with the Mobile Device Security Policy, which includes password protection, encryption, and remote wipe capabilities.

Data classification

Data should be categorized based on its sensitivity and criticality. Access to data should be restricted to authorized individuals with a legitimate business need.

Data handling and protection

Users should follow defined procedures for handling, storing, transmitting, and disposing of data. Encryption mechanisms should be employed when deemed necessary to protect sensitive information.

Lawful and ethical use

All users must use the company’s information systems, networks, and resources in a lawful, ethical, and responsible manner. Users should comply with applicable laws, regulations, and internal policies.

Email usage

Users should use company-provided email accounts for business purposes only.

Internet usage

Internet access is provided for business-related activities. Users must not engage in internet usage that may compromise network security.

Compliance monitoring

The company reserves the right to monitor, log, and review user activities on its information systems, networks, and resources.

Incident reporting

All security incidents, including breaches, thefts, or unauthorized access, should be reported immediately to the designated responsible parties within the title company.

Incident response

A documented incident response plan should be in place to guide employees on how to respond to security incidents promptly. The plan should include procedures for containment, investigation, communication, and recovery.

Lessons learned

After resolving a security incident, a thorough investigation should be conducted to identify root causes, implement corrective actions, and learn from the incident to prevent future occurrences.

Restricted access areas

Access to sensitive areas, including offices, server rooms, document storage areas, and data centers, should be restricted to authorized personnel only.

Visitor access

Visitors must sign in, provide valid identification, and be escorted at all times while on the premises. Visitor access should be limited to designated areas and revoked upon departure.

Employee identification badges

All employees should be issued and required to wear identification badges prominently displayed while on company premises. Lost or stolen badges must be reported immediately.

Locking Mechanisms

All entry points, including doors, windows, and other openings, should be equipped with secure locking mechanisms, such as deadbolts, access control systems, or electronic locks.

Intrusion detection systems

Alarm systems should be installed to detect unauthorized access attempts. Alarms should be tested regularly and promptly repaired in case of malfunctions.

Alarm monitoring

Alarm systems should be connected to a central monitoring station or a designated responsible party who will receive alerts and take appropriate actions.

Key issuance

Keys should be issued only to authorized personnel and should be properly recorded. Each keyholder should sign an agreement acknowledging their responsibility for the keys.

Key storage

Keys should be stored securely in designated key cabinets or locked drawers when not in use. Key access should be restricted to authorized personnel.

Lost or stolen keys

Lost or stolen keys must be reported immediately. An investigation should be conducted, and locks may be changed or rekeyed as necessary.

Lawful and ethical use

All users must use the company’s information systems, networks, and resources in a lawful, ethical, and responsible manner. Users should comply with applicable laws, regulations, and internal policies.

Email usage

Users should use company-provided email accounts for business purposes only.

Internet usage

Internet access is provided for business-related activities. Users must not engage in internet usage that may compromise network security.

Compliance monitoring

The company reserves the right to monitor, log, and review user activities on its information systems, networks, and resources.

Incident reporting

All security incidents, including breaches, thefts, or unauthorized access, should be reported immediately to the designated responsible parties within the title company.

Incident response

A documented incident response plan should be in place to guide employees on how to respond to security incidents promptly. The plan should include procedures for containment, investigation, communication, and recovery.

Lessons learned

After resolving a security incident, a thorough investigation should be conducted to identify root causes, implement corrective actions, and learn from the incident to prevent future occurrences.

Equipment and asset register

An inventory management system should be implemented to track all company-owned equipment, including computers, servers, laptops, and mobile devices. The register should include information such as make, model, serial numbers, and assigned employees.

Asset protection

Physical security measures, such as cable locks, lockable cabinets, and secure storage areas, should be implemented to protect valuable assets from theft or unauthorized access.

Equipment disposal

Procedures for proper disposal of equipment should be established to prevent data breaches. Data-containing devices should be securely wiped or destroyed following industry-recognized standards.

Document classification

Documents should be categorized based on their sensitivity and confidentiality. Access to classified documents should be restricted to authorized personnel only.

Secure storage

Sensitive documents should be stored in locked cabinets or rooms with limited access. Additional security measures, such as video surveillance, may be implemented as deemed necessary.

Document disposal

Procedures for document disposal, including shredding or secure destruction, should be implemented to prevent unauthorized access or information leakage. A designated individual or service provider should handle document disposal.

Vendor risk assessment

A risk assessment should be conducted to evaluate the potential impact of a vendor on the title company’s information security. Factors to consider during this assessment include: the sensitivity of data they will handle, their security practices, reputation, financial stability, and regulatory compliance.

Vendor security requirements

Vendors must meet the minimum security requirements as defined by the title company. This includes implementing appropriate safeguards to protect data, maintaining security incident response capabilities, and complying with relevant laws and regulations.

Data protection and confidentiality

Vendor contracts should include provisions ensuring the protection of the title company's data and maintaining its confidentiality. This includes restrictions on data use, disclosure, and retention, as well as requirements for secure data handling and proper disposal.

Compliance and auditing

Vendors should be contractually obligated to comply with applicable laws, regulations, and industry standards. Access and audit rights should be granted to the title company to assess and verify the vendor's compliance with security requirements.

Subcontractor management

Vendors should notify the title company of any subcontractors involved in delivering services. Subcontractors must meet the same security and compliance standards as the primary vendor, and appropriate contractual provisions should be in place to ensure their adherence.

Security reviews and audits

Periodic security reviews and audits should be conducted to assess the vendor's ongoing compliance with security requirements. This may include reviewing their policies, procedures, security incident response capabilities, and conducting on-site assessments if necessary.

Incident reporting

Vendors should promptly report any security incidents or breaches that may impact the title company's data or systems. The incident reporting process and timeline should be specified in the vendor contract.

Vendor performance evaluation

The vendor’s performance should be regularly evaluated based on defined metrics and criteria. Feedback and concerns should be documented and addressed with the vendor to drive improvement and maintain a productive working relationship.

Contract renewal and termination

Vendor contracts should have defined renewal and termination provisions. Contracts should be reviewed and renewed based on the vendor's continued adherence to security requirements. Non-compliance or repeated incidents may result in contract termination.

Vendor documentation

All vendor-related documentation, including contracts, questionnaires, audit reports, and correspondence, should be properly maintained and accessible for review.

Incident tracking

Incidents involving vendors, including breaches, compromises, or unauthorized access, should be documented, investigated, and appropriately resolved. Lessons learned from incidents should be recorded for continuous improvement.

Employee education

Employees involved in vendor management processes should receive appropriate training on vendor selection, security requirements, contract management, and ongoing monitoring to ensure consistent adherence to this policy.

Vendor communication

Clear communication channels should be established with vendors to provide them with relevant security guidelines, updates, and ensure their understanding of their responsibilities in safeguarding the title company's data.

Incident response team

An incident response team should be designated and composed of individuals with specific roles and responsibilities related to incident response. The incident response team should be responsible for overseeing and coordinating incident response activities.

Incident response coordinator

The incident response coordinator is responsible for overall coordination and management of the incident response process. They should oversee the incident response team, ensure timely response and resolution, and act as the primary point of contact for incident reporting.

IT security analysts

IT Security Analysts should be responsible for conducting investigations, analyzing incidents, and providing technical expertise in identifying the root cause, containing the incident, and restoring normal operations.

Communications lead

The Communications Lead should be responsible for managing internal and external communications during a security incident. They should coordinate communication efforts to stakeholders, including employees, clients, regulatory authorities, and law enforcement agencies, as necessary.

Legal counsel

Legal Counsel should provide guidance on legal and compliance matters related to the incident, including data breach notification requirements, liaising with law enforcement agencies, and managing potential legal actions.

Incident identification

Employees should be trained to identify and report any suspicious activities or security incidents promptly to the Incident Response Coordinator or designated contact.

Incident reporting channels

Establish and communicate multiple incident reporting channels, such as a dedicated incident response email address or hotline, to ensure incidents can be reported quickly and efficiently.

Internal communication

Internal communication channels should be established to inform employees about the incident, provide updates on the incident response progress, and communicate any necessary actions or precautions.

External communication

The Communications Lead should coordinate external communication efforts, including notifying affected clients, regulatory authorities, and other relevant stakeholders in accordance with applicable laws and regulations.

Media and Public Relations

The Communications Lead should be responsible for managing media inquiries and public relations efforts, ensuring consistent and accurate messaging.

Plan testing

The Incident Response Plan should be regularly tested through tabletop exercises and simulated incident scenarios to evaluate its effectiveness and identify areas for improvement.

Plan maintenance

The Incident Response Plan should be reviewed and updated regularly to incorporate changes in technology, systems, personnel, or regulatory requirements. Changes and updates to the plan should be communicated to relevant stakeholders and employees.

Risk Assessment

Conduct a thorough risk assessment to identify potential hazards and threats that could disrupt business operations. Consider both natural and man-made disasters, such as fires, floods, power outages, cyber-attacks, and equipment failures.

Business Impact Analysis

Perform a BIA to determine the potential impact of a disruptive event on critical business functions, systems, and processes. Identify recovery time objectives and recovery point objectives for each critical function.

Recovery Priorities

Define the order of recovery for critical business functions, systems, and processes based on their importance to the organization and the potential impact of their unavailability.

Alternate Site

Identify an alternate site or facility where critical operations can be resumed in the event of a disaster. Ensure the site has the necessary infrastructure, equipment, and resources to support business operations.

Data Backup and Recovery

Establish a robust data backup and recovery strategy to ensure the availability and integrity of critical data. Define backup schedules, retention periods, and procedures for offsite storage. Regularly test data restoration procedures to validate their effectiveness.

System and Application Recovery

Develop a plan for the recovery of essential systems and applications. Document the necessary steps, procedures, and configurations required to restore systems to a functional state.

Communication and Notification

Establish communication and notification protocols to keep employees, clients, and stakeholders informed during a disaster or disruptive event. Designate primary and alternate communication channels for internal and external communication.

Disaster Recovery Coordinator

Appoint a Disaster Recovery Coordinator who will be responsible for overseeing the implementation of the DRP, coordinating recovery efforts, and liaising with stakeholders and management.

Recovery Teams

Formulate recovery teams with assigned roles and responsibilities for executing recovery procedures. Roles may include IT recovery team, facilities team, communications team, and operations team.

Testing

Conduct regular testing and exercises of the DRP to validate its effectiveness and identify areas for improvement. Test the recovery procedures, communication protocols, and coordination between teams.

Plan Maintenance

Review and update the DRP regularly to reflect changes in systems, processes, personnel, or business requirements. Ensure that contact information, procedures, and recovery strategies are up-to-date.

Employee Training

Provide training to employees on their roles and responsibilities during a disaster or disruptive event. Conduct drills and simulations to familiarize employees with the DRP and their specific tasks.

Documentation and Accessibility

Ensure that the DRP is documented, readily accessible, and known to all relevant employees. Provide easy access to the DRP, including contact information, recovery procedures, and instructions.

Incident Response Procedures

Outline the procedures for activating the DRP in the event of a disaster or disruptive event. Define the roles and responsibilities of the Incident Response Team, including communication, initial assessment, and activation of recovery procedures.

Recovery Process

Detail the step-by-step recovery process, including system restoration, data recovery, testing, and verification of critical business functions. Provide clear instructions and timelines for each phase of the recovery process.

Change request

All changes must be submitted through a formal change request process.

Change identification

Identify the need for a change and document it in a Change Request form. Include details such as the nature of the change, its impact, and the expected benefits.

Change evaluation

Evaluate the change request to assess its feasibility, risks, and impact on business operations, security, and compliance. Consider factors such as resource requirements, potential conflicts with existing systems or processes, and any regulatory or legal implications.

Change approval

Obtain appropriate approval for the change request based on established criteria and designated approvers. Approval may be required from IT management, business stakeholders, or a designated Change Advisory Board (CAB).

Change planning

Once the change is approved, develop a detailed change plan that includes the necessary steps, resources, timelines, and contingencies. Document the change plan to ensure clear communication and understanding of the proposed changes.

Change implementation

Implement the approved change following the documented change plan. Adhere to any necessary testing, rollback, or validation procedures to ensure the integrity and stability of systems and processes.

Change review and closure

After the change is implemented, conduct a review to assess its success and ensure the desired outcomes are achieved. Document the results of the review and formally close the change request.

Change owner

The Change Owner is responsible for initiating the change request, providing necessary information, and coordinating the change process. They are accountable for ensuring the successful implementation of the change and its alignment with business objectives.

Change manager

The Change Manager oversees the entire change management process, including change evaluation, planning, coordination, and communication. They ensure that changes are executed in accordance with this policy and that appropriate approvals and documentation are obtained.

Change Advisory Board (CAB)

The Change Advisory Board comprises representatives from relevant departments or business units. The CAB reviews and approves changes based on their impact, risks, and alignment with business objectives. They provide guidance and recommendations for change implementation.

IT and Operations teams

The IT and Operations teams play a critical role in executing changes, conducting necessary testing, implementing changes in production environments, and ensuring minimal disruption to business operations.

Change communication

Effective communication is crucial throughout the change management process. Ensure that relevant stakeholders are kept informed of upcoming changes, their impact, and any necessary actions or precautions.

Change documentation

Maintain accurate and up-to-date documentation of all change requests, approvals, plans, implementation details, and reviews. This documentation should be readily accessible and include information that allows for traceability and accountability.

Employee training

Provide training to employees involved in the change management process. Ensure that they understand their roles and responsibilities, as well as the policies and procedures related to change management.

Change management awareness

Promote awareness of the change management process throughout the organization. Conduct regular communication and training sessions to educate employees about the importance of change management and their role in ensuring its success.

Compliance

All changes must comply with relevant legal, regulatory, and industry requirements. Ensure that changes are evaluated and implemented in a manner that maintains the integrity, security, and privacy of the title company's systems and data.

Policy Review

Regularly review and update this Change Management Policy to reflect changes in technology, industry best practices, or business requirements. Document any policy changes and communicate them to relevant stakeholders and employees.

Initial training

All new employees must receive comprehensive security awareness training during their onboarding process. This training should cover essential topics such as the importance of information security, common threats and risks, and basic security practices.

Ongoing training

Regularly provide refresher training sessions to reinforce knowledge and update employees on new threats, emerging trends, and changes in policies or procedures. Conduct these sessions at least annually or as deemed necessary based on changes in the information security landscape.

Policy awareness

Ensure that all employees are aware of and understand the title company's information security policies and procedures. Provide training sessions or materials that clearly explain each policy, its purpose, and the expected behavior or actions of employees.

Policy updates

Regularly communicate updates or revisions to policies and procedures to employees. Conduct training sessions or provide informative materials to ensure that employees are aware of the changes and understand their implications.

Training on phishing and social engineering

Educate employees about the risks associated with phishing emails, social engineering attacks, and other forms of cyber deception. Train them to recognize and report suspicious emails, phone calls, or other attempts to gain unauthorized access to sensitive information.

Data classification and handling

Train employees on the classification of data based on sensitivity and importance. Provide guidelines on how to handle different types of data, including NPI, financial data, and confidential business information.

Privacy regulations

Ensure that employees are aware of applicable privacy regulations, such as GDPR or CCPA, and understand their responsibilities in protecting personal data. Provide specific guidance on data access, sharing, storage, and disposal to ensure compliance with these regulations.

Password best practices

Educate employees on strong password creation, regular password updates, and the importance of not sharing passwords or using the same password for multiple accounts. Provide tips on creating complex passwords and using password management tools.

Multi-Factor Authentication (MFA)

Train employees on the benefits and usage of MFA for accessing company systems or applications. Encourage employees to enable MFA for their accounts to enhance security.

Incident reporting procedures

Clearly communicate the procedures for reporting security incidents, such as data breaches, suspicious activities, or lost/stolen devices. Train employees on the appropriate channels and contacts for reporting incidents promptly.

Whistleblower protection

Inform employees about whistleblower protections and emphasize the importance of reporting any security concerns or violations without fear of retaliation.

Regular communication

Maintain open and regular communication channels to keep employees informed about information security updates, emerging threats, and best practices. Utilize newsletters, emails, or internal messaging platforms to share relevant information.

Awareness campaigns

Organize awareness campaigns or events, such as security-themed contests, posters, or training sessions, to engage employees and reinforce key security messages. These campaigns can be designed to promote a fun and interactive learning environment.

Employee compliance

Regularly monitor and assess employee compliance with information security policies and procedures. Conduct audits, assessments, or spot-checks to ensure adherence to security practices and identify areas for improvement.

Training effectiveness

Measure the effectiveness of the training program through assessments, quizzes, or surveys to gauge employees' knowledge and understanding of information security topics. Use the results to refine and enhance the training program as needed.

Compliance

Ensure that the Employee Awareness and Training Program aligns with relevant legal, regulatory, and industry requirements. Regularly review and update the program to reflect changes in technology, security threats, or organizational needs.

Program Evaluation

Periodically evaluate the effectiveness of the Employee Awareness and Training Program through feedback from employees, incident reports, or security metrics. Use the evaluation results to make improvements and ensure the program remains relevant and impactful.