For over 35 years, PMI Mortgage Insurance Co. has been supplying mortgage insurance that delivers peace of mind to lenders and homeowners alike. PMI provides a range of products that help banks and loan originators to secure business and borrowers to close on their new homes.
To fulfill these roles, PMI has to collect a great deal of personally identifiable information about prospective home purchasers, including their social security numbers, addresses, and financial history. Both PMI and the lenders it serves are extremely concerned about protecting this information, and as a result the company takes information security very seriously. To ensure its network protection stays strong, PMI engages industry experts to perform annual audits to identify any potential vulnerabilities and recommend improvements. For the last three years PMI has chosen Foundstone Professional Services from McAfee to provide that expertise.
Quality and flexibility distinguish Foundstone Professional Services
“We chose Foundstone Professional Services because it exhibited all the qualities we needed from a network security assessment organization,” says Todd Berman, director of security and information protection for PMI. “Over many years of vulnerability assessments, we have learned a great deal about the criteria that matter in an assessment service, and Foundstone Professional Services satisfies them all. It is well-known, respected, highly flexible, and vendor-agnostic. And most importantly, it delivers thorough vulnerability assessments and reports, including a comprehensive letter for use with our customers that summarizes the tests performed and their results.”
Three-phase process covers the gamut of vulnerabilities
In each of the testing engagements, Foundstone Professional Services provided a three-phase security assessment approach customized to PMI’s requirements.
In the first phase, called an external network assessment, the consultants analyzed the vulnerability of PMI’s web applications and Internet-accessible servers to penetration from outside the company’s firewall utilizing a range of automated tools and manual techniques. These tests were conducted directly from the Foundstone Professional Services’ offices, where the consultants were positioned to mimic real-world attacks.
Phase two consisted of a wireless network assessment, in which the consultants went on site and looked for insecure 802.11a/b/g wireless access points. They began by interviewing PMI staff. The consultants then searched inside and outside PMI’s facilities for rogue access and non-PMI authorized access points.
In phase three, Foundstone Professional Services performed a policy gap analysis by comparing PMI’s security policies and procedures with the best practices embodied in the ISO 27001 standard from the International Organization for Standardization. The consultants spent time on site learning and evaluating PMI’s policies and procedures. They examined dozens of internal documents and interviewed numerous key PMI employees including the CIO.
Foundstone Professional Services completed the service by preparing and delivering a comprehensive written and in-person report, and by preparing an outward-facing security profile letter for PMI to provide to its customers. Customers have found this letter valuable because it reassures them about the security of personal information held by PMI.
"We chose Foundstone Professional Services because it exhibits all the qualities we needed from a network security assessment organization. It is well known and respected, vendor agnostic, and highly flexible."Todd Berman
Director of Security and Information Protection, PMI Mortgage Insurance Co.
Repeat assessments reflect PMI’s satisfaction with Foundstone Professional Services
In the dynamic field of security, the rate of change is so fast that experts recommend that organizations complete security assessments every year. Furthermore, many customers require annual letters affirming that their partners protect against new kinds of threats. As a result, Foundstone Professional Services performed security audits for PMI in each subsequent year after its first highly successful engagement in 2006.
Results show the strength of PMI’s security posture
The Foundstone Professional Services assessments have found that PMI is ahead of the industry average in information security. The consultants found PMI’s security policies and processes to be comprehensive, managed, and verifiable. They examined how responsibilities for PMI’s IT security are assigned, managed, and enforced, and found that all of these processes align well with security best practices. Likewise, Foundstone Professional Services analyzed and sanctioned PMI’s practices for IT security risk and impact analysis, for promoting security awareness, and for user identification, authentication, and authorization.
Foundstone Professional Services delivers quality and professionalism
“We continue to engage Foundstone Professional Services because of our ongoing satisfaction with jobs well done,” states Berman. “We especially appreciate the group’s professionalism and concern for quality, as well as the vendor neutrality it consistently displays.” Vendor neutrality is particularly important in an assessment provider so that customers do not feel recommendations are motivated by the desire to sell additional products.
“I found it especially important that the consultants were able to address the issues highlighted by our CIO, as well as target highly detailed security matters,” Berman continues. “Foundstone Professional Services was also conscious of minimizing disruption to our business. When they assessed our production environment, for example, they made sure to do so in the middle of the night.”
Outward-facing letter saves time and puts customers at ease
The outward-facing letter that Foundstone Professional Services delivered summarized the report’s findings and provided many important specifics.
“The letter we have achieved each year has proven extremely valuable in reassuring customers that their personal information is safe with us,” declares Berman. “It also saves us time in responding to external customer assessments, which are growing at a rate of 70% to 100% annually. Responding to all assessments is an action that PMI takes very seriously, and validation from Foundstone Professional Services is a key component of our response.”
But merely having a testimonial letter to present to interested customers is not enough. The testimonial must be from a recognized authority on information security. Foundstone Professional Services consultants have multiple highly recognized industry certifications such as CISSP, CEH ISO 27001 Lead Auditor, PCI QSA, and several others. Many consultants are also authors and contributing authors of world renowned security books like Hacking Exposed, now in its sixth edition.
“The fact that our outward-facing letter comes from such a well known and respected organization as Foundstone Professional Services provides third-party credibility with customers externally,” Berman concludes. “It also helps internally with our management team when they recognize the rigorous testing process and industry stature of Foundstone. It is one thing for me to state we are doing a better job than our competitors, but it is quite another thing for Foundstone to say so. Achieving a positive security assessment from a company of Foundstone’s stature is the mark of a well-protected network.”
Now that Foundstone Professional Services has validated the strength of PMI’s security provisions for the third straight year, both the company and its customers can rest assured that the highest industry standards are used to protect personal data and confidentiality.