I wasn't going to take the time to get into all this, but here goes...
The 5-page "Trade Vendor Information Security Requirements and Recommendations" includes footnotes and links to, among other things, a 24-page 'toolkit' [which I've only skimmed so far, let alone studied, which is what they recommend]. There are two sections, one mandatory (Section 1 - Minimum Security Requirements) and one highly recommended (Section 2 - Basic Security Recommendations).
The agreement (which is to be added to the documents we have to annually sign and send to FNF, if we want to work with them) is directed to "Trade Vendors", defined thusly: <<“Trade Vendor” and “TV” mean notaries, signing service companies, closing attorneys/agents providing notarization and/or signing services to consumers.>> So they've lumped us all together. I suspect some of this is mostly intended for the latter organizations, especially the part where it describes protecting websites. (My business website never sees contact with any customer data.)
The one thing I disagree with in the post above is having to have a dedicated email account only for "FNF" orders. It's a little misleading, the way it's written. It's the first item under Section 2. The heading of that item does say "Maintain a Dedicated E-mail Account for FNF Orders", but the paragraph that follows says:
"You should strive to maintain a dedicated business e-mail account for receiving and sending orders. This e-mail account can be used for your other notary customers, but it should remain separate and distinct from your *personal* e-mail account." [Asterisks added by me.]
That part seems pretty straightforward. In Section 1, however, it says that your email service must provide 2-factor verification, which MUST be enabled.  Verry cumbersome, IMO.
Here's the whole list on securing email accounts:
"1.1 Secure Your E-mail Accounts
You must use an e-mail service with the following security features fully enabled:
a. Two factor authentication (2FA)
b. Encryption of data stored on your devices
c. Encryption of data during transit: end-to-end encryption via the most current Pretty Good Privacy (PGP) protocol available
d. User ID unique to a specific individual (no shared user IDs/accounts)
e. Complex passwords, which meet the password requirements section below"
Also under Section 1: "Never store your passwords in any format, including written, electronic, or plain text formats. You should never share your passwords with anyone in any format. Your passwords should be known to you, and only you."
No problem with not sharing, but I'm going to assume this is also just poorly written, as it sounds like no method for storing passwords is acceptable. There's a footnote that refers to the 'toolkit', which says nothing about how to store passwords properly. It also explains why it's a bad idea to use the same password for multiple accounts, which I agree with. But surely they don't expect us to memorize dozens (at least) of work-related, complex passwords, all of which we're expected to change every 180 days?! 
Naturally, not everything in that FNF statement is addressed here. I think I have most of it pretty well covered already, but it will likely take a bit more investigating on my part, especially on encryption. Also looks like updating to Windows 11 is in my future sooner rather than later...
|
