Inspire Closing Services is committed to protecting both its proprietary and customer data. To do this, Inspire Closing Services has established a formal information security program to ensure appropriate controls are in place to safeguard sensitive data from unauthorized access or disclosure. The Inspire Closing Services security program is comprised of both technical and procedural controls. Inspire Closing Services has employed advanced next generation firewalls with Intrusion Prevention System (IPS) at the network perimeter configured in pairs for high availability. Public facing systems are segmented within a DMZ, isolated from internal systems by a pair of next generation firewalls protecting the intranet. All servers reside within either Inspire Closing Services’ primary or secondary data center. Data centers are enterprise class co-location providing air handling, power and network connectivity. Inspire Closing Services maintains its own cage with access controls. Datacenters maintain SOCI/II reports which Inspire Closing Services reviews on an annual basis. Both data centers and operational facilities provide physical security controls including, video monitoring, access controls, environmental monitoring and alerting, and visitor policy and procedures. Inspire Closing Services is a Microsoft shop utilizing Active Directory for centralized user account management. Users are assigned a unique user name and password. Passwords are required to be complex, changed frequently and will lockout after a predetermined number of invalid attempts. User sessions are required to re-authenticate after periods of inactivity. Inspire Closing Services performs routine user account review to ensure appropriate entitlements and the removal of dormant accounts. All servers and workstations are built and hardened to the Inspire Closing Services baseline standard with servers performing a single role (e.g. IIS). Inspire Closing Services employs antivirus on all desktops and servers. Antivirus is centrally managed with definition updates pushed daily. Inspire Closing Services performs routine vulnerability scans and monthly patch management. A third party external penetration test is performed annually. Inspire Closing Services requires all sensitive data transmissions to be encrypted through the web (e.g. HTTPS), bulk file transfer (e.g. Secure FTP) and email transmission (e.g. TLS) using industry recognized algorithms. Sensitive data is encrypted within the database. End users are restricted from writing to USB and CD-R. Inspire Closing Services has deployed Security Incident Event Manager (SIEM) throughout the environment. The SIEM generates alerts which are reviewed by designated members of IT. Inspire Closing Services maintains an Incident Response Policy and Procedure to ensure incidents are investigated, resolved, and remediated. Inspire Closing Services maintains a Software Development Lifecycle (SDLC) for secure code development including, dynamic code scanning to detect potential security vulnerabilities. Developers do not have access to production data.
Inspire Closing Services vendors are required to ensure its policies, procedures and technical controls are in place to ensure the connection/transfer of sensitive data remains secure and reduce risk of the transfer of malicious software into Inspire Closing Services. The vendor is to maintain a secure computing environment including the use of: up to date (patched) operating systems, centrally managed antivirus, user access through a proxy, and next generation firewalls at the perimeter. Access to Inspire Closing Services environment shall be secure using industry recognized encryption algorithm agreed upon by Inspire Closing Services and the vendor. The vendor shall maintain procedures to include the timely notification of employee’s change of status to Inspire Closing Services and periodic access reviews to address user entitlement changes. In the event of a security incident within the vendor environment, the vendor is required to notify Inspire Closing Services in a timely manner and to provide necessary access to system logs, user interviews and relevant information of the event in question.