Freddie Mac Information Security Requirements
We have looked in more detail at Fannie Mae’s information security requirements. Now, let’s look in more detail of Freddie Mac’s requirements for information security. Again, we will sort each domain of controls by its applicability to being administrative, technical, or operational. Understanding why a specific domain belongs to a certain category is essential for building a strategy that covers every contingency.
Administrative Controls: The Strategic Framework
Administrative controls are the "people and policy" layer. These domains belong because they define the rules of engagement and the legal requirements for the organization.
· Information Security Program & Privacy Policy: These are the governance blueprints. They set the high-level expectations for how data is handled.
· Human Resources Security: This manages the "human element," covering onboarding, background checks, and termination procedures.
· Software Development Life Cycle (SDLC): While it involves code, the process of building secure software is an administrative framework that ensures developers follow security milestones.
Technical Controls: The Digital Shield
Technical (or logical) controls are implemented through hardware and software. These domains are categorized here because they use automated mechanisms to protect data at the bit and byte level.
· Data Encryption & Access Control: These use mathematical algorithms and identity protocols to scramble data and verify users.
· Network Security & Wireless Networks: These define the digital perimeter, using firewalls and protocols like WPA3 to block unauthorized traffic.
· Data Loss Prevention (DLP) & Anti-virus: These are active software agents that scan for threats or unauthorized data movement in real-time.
· Vulnerability Management & Auditing/Monitoring: These are technical "scoping" tools that scan code and log system events for anomalies.
Operational Controls: The Physical Execution
Operational controls are the "boots on the ground." These domains belong here because they involve the physical environment and the day-to-day maintenance of the infrastructure.
· Physical and Environmental Security: This covers the "real world"—locks, cameras, and fire suppression in the server room.
· Incident Management: This is the manual, human-led process of responding to a breach when it occurs.
· Configuration and Patch Management: This involves the ongoing labor of keeping systems updated and consistent.
· Mobile Computing: This addresses the physical risk of portable devices leaving the office.
· Communications and Operations Management: This ensures the daily flow of data remains healthy and secure.
By categorizing your 17 domains this way, you ensure that your security isn't just a digital fence, but a comprehensive culture ensuring security. Security is an organizational mindset; dividing controls into their administrative, technical, and operational layer ensures the right part of the organization can implement them most effectively. These layers compliment each other to provide defense-in-depth.
Kevin Robinson, CISSP, DDN.QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group. He has a 20 year career in cybersecurity, risk assessment, intelligence and counterintelligence. His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency.