banner-landing

The Student Loan Company Case Study

About the company:

This leading Student Loan Provider is simplifying the student loan experience. As a fintech lending company with a sole focus on private student loans, they’re using technology and their deep industry expertise to connect families who need to cover education costs. By specializing in student loans, they are able to give customers the attention they deserve and deliver loans that are simple, clear, and personalized for the individual.

Building a coordinated approach to data security:

Establishing a scalable data security program that is disciplined and organized.

As the company started building its data security program from scratch it knew that it had lofty goals. This student loan provider had access to its customers personal and financial information and it was imperative that it protected the information it stored and that it gave confidence to its customers that their data was handled securely. The student loan company understood how important it was to have a comprehensive data security program in place but needed help to get it started. When the new Chief Technology Officer (CTO) took over the role, they realized that many of the important elements were held by different departments and coordination across all departments needed to be improved. That’s why they signed up as an Ostendio MyVCM Premium customer to ensure the company could be disciplined and organized and that it would help them reach the company goal of SOC 2 Type II certification.

Finding help when it was needed most

A solution that would grow and scale with their business.

The Student Loan company started with the basics by building a program from the bottom up that would ultimately be able to grow and scale as their company also grew. The CTO realized they were going to need some expert help and so they engaged Ostendio in a Professional Services contract.  The Ostendio Professional Services experts supported the Student Loan company by becoming an extension of the current security team dedicated to this important project. Ostendio Professional Services provided expert assistance in the preparation work such as reviewing, developing and operationalizing their policies and procedures. “Ostendio provided support from the very beginning by identifying the gaps in their security program,” said Michelle Moreno, Ostendio Professional Services Director and ISO. “The Ostendio MyVCM platform had everything needed to guide this customer smoothly through their first SOC2 audit.”

Michelle Moreno, Ostendio Professional Services Director

“Ostendio provided support
from the very beginning by
identifying the gaps in their
security program.”

— Michelle Moreno, Ostendio Professional Services Director

Student Loan Co.

  • No. of employees: 51-200
  • Year established: 2014
  • Industry: Financial Services
  • Frameworks: SOC 2 Type II
  • Ostendio customer since: 2020

“The Ostendio MyVCM Auditor
Connect feature is an innovative
way for clients and auditors to
connect and contract for an audit
engagement.” - Michelle Moreno

Reaching SOC 2 goals and focusing on a secure future

SOC 2 Type II audit complete using the Ostendio MyVCM platform

The Student Loan company uses Ostendio MyVCM to handle:
Document management - with all the features of a fully operational Document Management System, the Ostendio MyVCM platform serves as the central repository and access point for all policies, procedures, contracts, SOPs and any other critical documentation. Workflow powers document approvals acknowledgment processes, allowing Ostendio MyVCM to track both approvals and acknowledgements across all documents and for all users.
Asset management - tracking their physical assets as well as ownership and location.
Employee training - a full Learning Management System allowing for the creation, distribution, and assessment of training.
Assessments - The Student Loan company used this module to pre-build assessment questionnaires for their chosen regulations and standards while also creating ad-hoc and custom assessments.
Policy and Procedure Templates - these allowed the Student Loan company to map to many common information security and privacy templates when creating their data security program.
Risk Management - The Student Loan company uses this module to identify and create mitigation strategies around risk management

After completing basic preparation with the Ostendio Professional Services support team, the Student Loan company was ready to select an audit partner for their SOC 2 audit. Ostendio MyVCM Auditor Connect makes it easy to find and contract with a specialized auditor who can perform the SOC2 audit using the Ostendio MyVCM platform. The Student Loan company selected A-LIGN as their audit partner. “The Ostendio MyVCM Auditor Connect feature is an innovative way for clients and auditors to connect and contract for an audit engagement,” said Michelle Moreno, Ostendio Professional Services Director and ISO. “MyVCM Auditor connect allows clients and auditors to collaborate real-time over documentation that has been provided and avoids time consuming, confusing emails of spreadsheets and word documents.” With both the client and auditor (A-LIGN) using the Ostendio MyVCM platform, the Student Loan company saved time and money. The Ostendio MyVCM platform allows both parties to communicate through the platform, sharing the required documents and discussing the policies that are required. This speeds up the audit process and makes completing a SOC 2 audit easier, and more cost effective, for all parties involved. The Student Loan company has successfully completed their first SOC 2 Type II audit and has built a robust data security program. In future years, using the Ostendio MyVCM platform to complete the audit will be easier as the initial setup with relevant and operationalized documentation is already complete. As the company grows it can continue to use the Ostendio MyVCM platform for all its data security and risk management needs. The platform maps to over 100 regulations and standards globally making it easy for customers to map their existing compliance documents and evidence to additional standards.