Brandywine Mortgage Internet IT Policy & Security Plan It is understood that no security plan is foolproof. However, individual due diligence will help us approach a risk limited environment.

Computer usage is restricted to authorized personnel (users) or persons directly supervised by authorized personnel.

In order for personnel to become authorized, they must complete a basic course in Internet Security that has been approved by the Security Team.

Users include the Brandywine Mortgage staff and the Security Team.

Users are responsible for the security of their personal computer and should follow the "security guidelines".

Network Inventories
1. Network "A" (Intranet) Inventory
  The "A" network's purpose is to facilitate the mortgage processing and approval process, while limiting the amount of customer data that is at risk. Access to and from these machines will be rigidly controlled by the firewall.
  Network "A" consists of:
  1. Windows Workstations
  2. Web Browser(s)
  3. SCP Access to Linux File Server
  4. Word Processing
  5. Mortgage Processing Programs (e.g. Contour)
  6. Anti-virus software
  7. Printers
  8. Other software as approved by Security Team
  9. Battery Back-Up Power Supplies
2. Network "B" (Internet) Inventory The "B" network, which is assumed insecure, houses machines that are exposed to potentially harmful content. These machines could have web browsers with, active-x, turned on, for instance, and will be used to read E-Mail. Access to and from these machines will be rigidly controlled by the firewall.
  Network "B" consists of:
  1. Windows Workstations
  2. Web Browser(s)
  3. SCP Access to Linux File Server
  4. E-mail
  5. Anti-Virus Software
  6. Printers
  7. Other software as approved by Security Team
  8. Battery Back-Up Power Supplies
Web Browsing
1. Network "A" web browsing is to be limited to applicable mortgage processing websites, such as, FNMA, FMAC, MOAI, which are part of the processing, approval and underwriting process. The web browsers are configured to allow some types of "mobile code" and disallow others. "Mobile code" can go by names, such as, Cookies, Java, Java Script, Active-X, active WebPages, Active Server Pages, Flash, Shockwave, NetObjects, Fusion, ICat Commerce, IRC, IRQ, Chat, and others. Since "mobile code" will by-pass the protection of the firewall, we must limit the number of sites we visit and monitor those that we use regularly, so that productivity is maximized. It should also be noted that disabling some types of "mobile code" in our web browsers may cause some websites to not function properly.
2. Network "B" web browsing is to be used to visit mortgage processing related websites, such as, appraisals, interest rates, flood certs, credit reports, bond and stock market tickers and charts. It is also to be used for real estate sales and marketing and may also be used for personal web browsing. A seperate browser is configured for personal use so as to limit our risk.
** If a website is not functioning properly, or a new website needs to be introduced into the approval/underwriting process, please notify the security team immediately. **
File Sharing (Transfer), Storage, Naming and Data Movement
1. All file sharing between individuals is done using SCP (secure copy protocol) and the appropriate user accounts on the file server.
  1. Customer data should only be available, on a Windows OS on "A" network, when being actively worked on. Customer data should never be available on the "B" network.
  2. All files should be "moved", not "copied" from the "A" network to the appropriate directory on the file server when done being worked on, or if loan status is inactive, withdrawn, or pending an agreement of sale.
2. Data movement between "A" network, "B" network and the file server is done for the following reasons with appropriate steps taken.
  1. Loan processing related data uploaded from "A" network to file server
    1. Customer files
    2. Supporting documents, letters, etc.
  2. Loan processing related data moving from "B" to "A" network
    1. Virus scanned before leaving "B" network
    2. Upload to file server, download on "A" network
3. The file server is also used for loan officers in the field to access documents for review. Files should be uploaded to appropriate directory and loan officer notified in e-mail of file name and location.
4. Naming of customer files is generally dictated by processing software, but when necessary an identifying extension will be used to seperate two customers with same first initial and last name.
5. Passwords to file server accounts should never be written down or e-mailed, no exceptions.
6. Access logs are monitored constantly by the security team.
** All users should be aware that any abnormal occurrences be reported to the the Security Team immediately. **
E-mail
1. E-mail is to be be done only on the "B" network. E-mail is for corporate puproses only and is not to be used to send jokes or other questionable or non-business related content. Appropriate user discretion is expected.
2. Avoid accepting attachments in e-mail messages. Any incoming attachments should be downloaded to a floppy disk and scanned for viruses. This must be done prior to moving file(s) to any computer's hard drive or the file server.
  ** If you have received an attachment unexpectedly, and cannot identify the sender or the apparent sender says they did not send the message, then it is most likely a virus. Never allow an .exe, .scr, .vbs, or .pif file to leave the download floppy, rather throw the floppy disk away. **
3. Ask people to copy and paste text to the body of an email instead of sending Microsoft Word documents when possible.
4. Do not ever e-mail any user names, passwords, or URL's with "http://" in the name.
5. A Secure Shell (SSH) may be used, on a limited basis, to delete suspect mail when there is suspicion of the presence of viruses, trojans, or other malware. The Security Team will decide when and if this is appropriate.
6. E-mail backups should be made regularly to each users home directory. It is recommended that this happen at least quarterly.
Virus Scanning and Preventive Measures
1. It is understood that no virus protection is 100% assured.
2. It is also understood that a firewall is not protection against viruses, and no satisfactory method has been developed to the contrary.
3. Hard drives on both networks should be examined for viruses on a daily basis. Scanning as needed is required when e-mail attachments are being handled.
4. All data should be virus scanned prior to leaving the "B" network, before touching the file server or any machines on the "A" network.
5. Avoid allowing any outside floppy disks into your computer.
6. Floppies should never be taken home, or brought in from home.
Loan Package Document Printing Loan document packages are to be viewed on the "B" network where appropriate plug-in software can be utilized.
Back-ups and Data Integrity Back-ups of all pertinent data will be run on a weekly basis, and tested on a monthly basis. Off site back-ups will also be maintained. The types of information that are deemed pertinent will be determined by the Security Team. Each user will need to make sure that their data is placed in the designated directories on the file server regularly for back-up purposes.
Power Outages If power is lost, use the initial time period to close all programs and properly shut down all workstations. Immediately notify the Security Team for instructions regarding the file server.

=========================================================================

Created by: brouse@membrane.com and sidd@membrane.com [08 June 2004] Š2001 Membrane.com