"The First Choice in Credit & Screening"



Information Security Policy

CIC Mortgage Credit, Inc.

Information Security Policy and Guideline

 1.0         Overview

Effective security is a team effort involving the participation and support of CIC Mortgage Credit, Inc. (“CIC”) and every customer, including its employees, agents, officers, directors, owners, and contractors who have access to CIC’s systems and products (“Subscribers”).  CIC’s Management has approved this Information Security Policy (“Policy”).  It is each Subscriber’s responsibility to fully understand its obligations and responsibilities under this Policy, the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (“FCRA”), and any other federal or state statutes and regulations that apply to the services and products CIC provides, and to conduct its activities accordingly.  CIC respects the privacy of the consumers whose information is contained in the credit histories and other products and services we offer to our customers and is committed to protecting such information. 

CIC’s information security measures are designed to reduce unauthorized access to consumer information. It is each Subscriber’s responsibility to implement these controls.  If any Subscriber does not understand these requirements or needs assistance, it is the Subscriber’s  responsibility to employ an outside service provider to assist it. Capitalized terms used herein have the meaning given in this document. The information provided in this Policy provides minimum baselines for information security.  CIC, on behalf of itself and the credit reporting agencies from which it receives consumer information, has the right to modify this Policy without notification.

The Internet/Extranet-related systems, including but not limited to computer software, operating systems, storage media, network accounts providing electronic mail, and electronic storage capabilities are CIC’s exclusive property.  These systems are to be used for business purposes in serving CIC’s interests, and of our customers in the course of our normal operations. 

2.0         Purpose

The purpose of this Policy is to outline CIC’s Information Security Policy, the acceptable use of computer equipment and to establish the standards for the use of personally identifiable information used by CIC, CIC’s service providers and Subscribers.  These rules are in place to protect the Subscribers, CIC, and the consumers whose personally identifiable information is being used.  Inappropriate use or violations of these rules may also result in immediate termination of providing products or services for the Subscriber or other appropriate actions. 

3.0         Scope

This Policy applies to each Subscriber’s employees, officers, directors, owners, contractors, consultants, temporary employees, and all personnel affiliated with Subscribers.  This policy applies to all of CIC’s equipment that is owned or leased and all devices that connect to CIC’s network. 

This Policy applies to information or data stored or shared via any means including electronic information, information on paper, and information shared verbally or visually (such as telephone, whiteboards and video conferencing).  This Policy requires specific behavior by Subscribers when dealing with personally identifiable or sensitive data. 

This Policy applies to all Subscribers who are given access to credit information or other sensitive and personally identifiable consumer information, regardless of the source of such information. 

CIC’s personnel and Subscribers are encouraged to use their best judgment in always protecting credit information and other sensitive and personally identifiable information such as Social Security numbers, credit card or other account numbers, drivers’ license numbers or other sensitive information.  Appropriate protection may exceed the minimum required by this Policy. 

4.0         Policy

A.                General Use

1.            Subscribers should be aware that the data they create for personal or business use on the corporate network remains CIC’s property.  Because of the need to protect CIC’s network, management cannot guarantee the confidentiality of information stored on or transmitted through any network device belonging to CIC.

2.            Any information that CIC or the Subscribers consider sensitive or vulnerable should be encrypted.   

3.            For security and network maintenance purposes, authorized individuals within CIC may monitor equipment, systems and network traffic at any time.

4.            CIC reserves the right to audit Subscriber’s networks and systems on a periodic basis to ensure compliance with this policy and these guidelines.

5.            Consumer information offered by or through CIC must be used appropriately and for specific purposes.  Subscribers will not obtain any credit or other consumer information on themselves, their associates, or any other person except in the exercise of their official duties. 

6.            CIC requires that its Subscribers have a “permissible purpose” under the FCRA before ordering consumer report information.  A permissible purpose includes the following:

a.             The Subscriber intends to use the information as a potential investor, servicer, or current insurer in connection with a valuation of, or assessment of, the credit or prepayment risks.

b.            The Subscriber has a legitimate business need in connection with a business transaction that is initiated by the consumer.

c.             The Subscriber intends to use the information in connection with written instructions of the consumer to whom it relates.

d.            The Subscriber intends to use the information in connection with a collection transaction involving the consumer for the collection of an account of the consumer.

e.             The Subscriber intends to use the information in response to an agency administering a state plan under Section 454 of the Social Security Act (42 U.S.C. 654) for use to set an initial or modified child support awarded.

f.             The Subscriber intends to use the information in accordance with written instructions of the consumer through a reseller. 

g.            The Subscriber intends to use the information in response to a request by the head of a state or local child support enforcement agency (or a state or local government official authorized by the head of such an agency) that has met all requirements of Section 604(a) (4) (A-D).

h.            The Subscriber intends to use the information in connection with a credit transaction involving the consumer and for the extension of credit or review or collection of an account of the consumer.

i.              The Subscriber intends to use the information in connection with employment purposes.

j.              The Subscriber intends to use the information in connection with a determination of eligibility for a license or other benefit granted by a governmental instrument required by law to consider financial responsibility or status.

k.            The Subscriber intends to use the information in connection with the underwriting of insurance.

l.              The Subscriber intends to use the information in connection with the review of existing policy holders for insurance underwriting purposes.

m.          The Subscriber intends to use the information in connection with a legitimate business need to review an account to determine whether the consumer continues to meet the terms of the account.

n.            The Subscriber intends to use the information in response to the order of a court having jurisdiction or a subpoena issued by a federal grand jury.

o.            The Subscriber intends to use the information in connection with a tenant screen application involving the consumer. 

p.            The information will be used by a governmental agency pursuant to FCRA Section 608.

q.            The Subscriber intends to use the information to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.

r.              The Subscriber intends to use the information for required institutional risk control or for resolving consumer disputes or inquiries.

s.             The Subscriber intends to use the information in connection with holding a legal or beneficial interest relating to the consumer.

t.              The Subscriber intends to use the information for law enforcement agencies or for an investigation on a matter related to public safety.

u.            The Subscriber intends to effect, administer, or enforce a transaction to underwrite insurance at the consumer’s request, for reinsurance purposes or for the following purposes related to the consumer’s insurance:  account administration, reporting, investigating, fraud prevention, premium payment processing, claim processing, benefit administration or research projects.

v.            The Subscriber intends to use the information in connection with persons acting in a fiduciary or representative capacity on behalf of, and with the consent of, the consumer.

w.          The Subscriber intends to use the information as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, including location for collection of a delinquent note.

x.            The Subscriber intends to use the information in conjunction with access to a commercial file on a sole proprietorship.

y.            The Subscriber intends to use the information in conjunction with access to a commercial file on a corporation, where specific consumer consent is given.

z.             The Subscriber intends to use the information in conjunction with a credit transaction involving the extension of credit to, or review or collection of an account of, the consumer, where the medical information to be furnished is relevant to process or effect the transaction, and specific consumer consent was provided for the furnishing of the consumer report that describes the use of the consumer report that describes the use of which the medical information will be furnished.

aa.         The Subscriber intends to use the information in conjunction for employment purposes, where the medical information to be furnished is relevant to process or effect the transaction, and specific consumer consent was provided for the furnishing of the consumer report that describes the use for which the medical information will be furnished.

bb.        The Subscriber intends to use the information in connection with the underwriting of insurance and specific consumer consent was given for the release of the medical information contained within the consumer report.

B.                 Security of Information

1.            All devices connecting to CIC’s network must comply with all appropriate policies and standards.

2.            The Subscriber must take all necessary steps to prevent unauthorized access to CIC’s data, as well as to any personally identifiable or other sensitive information related to consumers or credit histories, or otherwise contained in any of CIC’s products or services.

3.            Subscribers must request a separate, unique user ID for each user to enable individual authentication and accountability for access to CIC’s information.  Each user of the system access software must also have an unique log-on password.

4.            All passwords must be kept secure and may not be shared.  Accounts may not be shared.  Account numbers and passwords should be known only by supervisory or key personnel. The number of key personnel who have access to consumer information should be restricted.  Subscribers are responsible for the security of their passwords and account. 

5.            Passwords must be changed every ninety days.  The Subscriber must request that its passwords be changed immediately when any system access software is replaced by system access software or is no longer used; and the hardware on which the software resides is upgraded, changed or discarded. 

6.            Subscriber and its authorized users shall develop strong passwords that are not easily determined (i.e. the name of the Subscriber’s company, repeating or consecutive numbers and letters) and contain a minimum of eight (8) alpha/numeric characters for standard user accounts.  CIC will never contact a Subscriber and request its Subscriber Code number or password. 

7.            All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging off when the device will be unattended.

8.            Subscriber must encrypt all consumer data and information when stored on any laptop computer and in the database using AES or 3DES with 128-bit key encryption at a minimum, or such other requirements as may be required by applicable laws and regulations.

9.            Peer-to-peer file sharing may not be enabled for those with access to CIC’s system and information.

10.        Laptops must be properly secured or placed in a locked drawer or cabinet. 

11.        Personally identifiable or other sensitive information related to consumers or credit histories must never be saved to a computer hard drive. 

12.        All paper files containing sensitive or personally identifiable information shall be kept secure and not left on a desk or in an open file cabinet or drawer while unattended.  All such paper files and documents must be properly secured or placed in a locked drawer or cabinet.  They shall not be left on desks overnight unless the desk is located in a room that can be securely locked.  Sensitive information such as credit histories, Social Security numbers, drivers’ license numbers or similar information shall always be placed in a locked drawer or cabinet and shall never be left on desks overnight.

13.        All devise used by the Subscriber that are connected to CIC’s network must use the most up-to-date anti-virus and anti-spyware software.

14.        Subscriber must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

C.                Security of Information Systems

1.            Subscriber must keep operating system(s), firewalls, routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.

2.            Subscriber must configure infrastructure such as firewalls, routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.

3.            Subscriber’s internal private internet protocol (IP) addresses must not be publicly accessible or natively routed to the internet, and network address translation (NAT) technology should be used.

4.            Subscriber’s administrative access to firewalls and servers must be performed through a secure internal wired connection only.

5.            Subscriber’s stand-alone computers that directly access the internet should have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic.

6.            Subscriber should encrypt Wireless access points with a minimum of WEP 128 bit encryption, WPA encryption where available.

7.            Subscriber should disable vendor default passwords, SSIDs and IP Addresses on Wireless access points and restrict authentication on the configuration of the access point.

8.            Subscriber must implement and follow current best security practices for computer virus detection scanning services and procedures, including:

a.       Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks.

b.      If Subscriber suspects an actual or potential virus, it must immediately cease accessing CIC’s system and shall not resume the inquiry process until the virus has been eliminated.

c.       On a weekly basis at a minimum, keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files.

9.            Subscriber must implement and follow current best security practices for computer anti-spyware scanning services and procedures, including:

a.       Using, implementing and maintaining a current anti-Spyware scanning product on all computers, systems and networks.

b.      If you suspect an actual or potential breach due to Spyware, immediately cease accessing the system and do not resume the inquiry process until the threat has been eliminated.

c.       Keeping anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files weekly, at a minimum.  If Subscriber’s computers have unfiltered or unblocked access to the Internet, then anti-Spyware scans should be completed more frequently than weekly.

10.        Subscriber should perform regular tests on its information systems (port scanning, virus scanning, vulnerability scanning). 

5.0         Access to CIC’s Information

A.                CIC grants access to its information and resources for permissible purposes only.

B.                 CIC determines authorized access in its sole discretion. 

C.                 Subscriber must ensure that all consumer information and other sensitive information must be physically maintained to minimize unintentional disclosure, alteration or loss.

D.                Subscriber should develop and follow a security plan to ensure that the confidentiality and integrity of data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.) by:

1.            Keeping documents and information from unauthorized view.

2.            Prohibiting documents from being left unattended on desks.

3.            Storing documents and media in locked drawers and cabinets.

4.            Physically locking computers when not in use, and lock screens when not in use.

5.            Protecting all materials from loss or theft, and all other reasonable protections based on Subscriber’s best judgment.

6.            Never sharing sensitive or confidential information with another individual (including another employee of Subscriber) unless the Subscriber has previously verified that the individual is authorized and has a business need for access to the information.

7.            Destroying sensitive documents and confidential personal information when no longer needed.  Proper destruction methods prevent simple recovery by electronic means such as “undelete” utilities or physical means such as “dumpster diving.”  CIC, all CIC employees and all Subscribers shall comply with the Federal Trade Commission’s Final Rule on the Disposal of Consumer Report Information and Records, 16 C.F.R. Part 682. 

8.            Establishing processes and procedures for responding to security violations, unusual or suspicious events and reporting all information security breaches to CIC within 24 hours of the Subscriber learning of the breach.

9.            Implementing and maintaining ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within Subscriber’s organization.

6.0         Subscriber Responsibilities

This section is an attempt to summarize some of the main responsibilities for Subscribers.  It is by no means complete, and each Subscriber should refer to individual policies or to CIC if it is unsure as to its responsibility in a particular area.

A.                Each Subscriber:

1.            Shall be responsible for all computer transactions that are made with Subscriber’s User ID and password.

2.            Shall not disclose passwords to others.  Passwords must be changed immediately if it is suspected that third parties may have had access to them.  Passwords should not be recorded where they may be easily obtained.

3.            Will change passwords at least every 90 days.

4.            Should use passwords that will not be easily guessed by others. 

5.            Shall Implement a process to terminate access rights immediately for users who access CIC’s information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.

6.            Should log out when leaving a computer for an extended period of time.

7.            Storage media should be stored out of sight when not in use.  If the storage media contains sensitive or confidential data, it must be locked up.

8.            Storage media should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields. 

9.            Disconnections, modifications or relocation of CIC’s equipment is not to be performed by Subscriber’s unless that is a part of their specific job duties.   

10.        Any data containing personal consumer information shall not be removed from the Subscriber’s office for any reason. 

11.        Subscribers should exercise care to safeguard the valuable electronic access assigned to them.  Subscribers who neglect this duty may be accountable to CIC for any loss or damage that may result.

B.                 Privacy:  Certain individuals may have access to Subscribers’ private information.  These individuals are required to protect the confidentiality and integrity of this information and may not disclose such information unless within the authorized performance of the individual’s duties. 

C.                 CIC shall be responsible for the administration of access controls to all Subscriber’s computer systems.  CIC, or its designee, will process additions, deletions, and changes upon the written request from the Subscriber’s supervisor or management.  Deletions may be processed upon oral request prior to the reception of the written request. 

D.                The confidentiality and integrity of data stored on the Subscriber’s computer systems must be protected by access controls to ensure that only authorized users have access.  This access shall be restricted to only those capabilities that are appropriate to each Subscriber’s specific job duties. 

E.                 Subscriber’s must notify CIC whenever a Subscriber’s employee or agent with access to CIC’s systems leaves the Subscriber’s company or changes job position so that his/her access can be revoked or changed as appropriate.  Involuntary terminations must be reported concurrently with the termination. 

7.0         Enforcement

Any Subscribers found to have violated this Policy or these Guidelines may be subject to disciplinary action, up to and including, termination of access to CIC’s products and services or appropriate legal action.  

8.0         Security Assessments and Audits

A.                Periodic assessments and/or audits of the Subscriber’s system security may be performed in CIC’s sole discretion.  These assessments and audits will include: (1) the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information; and (2) the assessment of the sufficiency of any safeguards in place to control these risks.


B.                 The risk assessment must include, at a minimum,:  (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions or other systems failures.

C.                 The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.

D.                The evaluation and adjustment of the information security program in light of the results of the testing and monitoring.

E.                 The evaluation and adjustment of the information security program in light of any material changes in operations or business arrangements.

F.                  The evaluation and adjustment of the information security program in light of any other circumstances known or which CIC has reason to know may have a material impact on the effectiveness of Subscriber’s information security program. 

G.                These assessments or audits may be performed as necessary, but at least once annually. The audits happen randomly each quarter.