Information Security and Data Protection

 

Vendor shall implement and maintain an enterprise information security program aligned with industry-recognized standards (such as ISO/IEC 27001, NIST Cybersecurity Framework, or equivalent), with policies, monitoring, incident handling procedures, and technical, administrative, and physical safeguards to:

  • Whether you are a consumer or an agent submitting a request on behalf of a consumer
  • Appoint an individual or group responsible for information security;
  • Protect Confidential Information against unauthorized access, disclosure, alteration, and destruction;
  • Enforce role-based access control, session timeouts, credential management, and disable user access within twenty-four (24) hours of personnel termination;
  • Document privileged account management and conduct periodic entitlement reviews; generic accounts are prohibited;
  • Encrypt desktops, laptops, critical infrastructure, data in transit, data at rest, and backups using industry standards, and maintain a documented backup policy;
  • Maintain data loss prevention tools to monitor and protect data at rest and in transit;
  • Monitor systems with SIEM, anti-malware, endpoint protection, logging, and alerting; record and retain audit logs of user activities, exceptions, and security events, with minimum retention as follows:
    • Twelve (12) months for security and perimeter devices (including firewalls, VPN servers, and intrusion detection systems).
    • Ninety (90) days for authentication systems (including domain controllers and Active Directory).
    • Five (5) years for applications.
  • Whether you are a consumer or an agent submitting a request on behalf of a consumer
  • Perform regular vulnerability scans of networks, web applications, and source code, and conduct external penetration testing at least annually;
  • Maintain secure software development practices throughout the SDLC, including secure code review;
  • Maintain an information risk management program with defined risk acceptance criteria, and conduct risk assessments of subcontractors handling Confidential Information;
  • Restrict application access to Altisource-approved IP addresses as applicable;
  • Maintain and test business continuity and disaster recovery plans;
  • Respond promptly to security incidents and notify Client within twenty-four (24) hours;
  • Secure physical facilities housing systems processing Confidential Information through access controls, surveillance, and visitor management;
  • Provide ongoing information security training for all personnel with access to Confidential Information; and
  • Securely destroy electronic and paper media in accordance with industry standards.

At Altisource's request, Vendor shall provide documentation or evidence demonstrating compliance with these requirements.