Inventory Devices That Can Access NPI (FORM 2-90-25 Physical Inventory)
This is the first technical inventory step — and it is intentionally limited. Small mortgage companies do not need an enterprise asset management system. They need a simple, defensible answer to two questions:
What devices can access customer information?
If a device is lost, stolen, or an employee leaves, can we shut off access quickly?
FORM 2-90-25 IT Security Physical Inventory is the company’s system of record for that answer.
Why This Matters (The Mortgage Reality)
If a device can open an email, it can expose NPI. Mortgage companies are especially exposed because:
email is used constantly for document exchange
staff work remotely or hybrid
phones are used for text, scanning, and email
printers/scanners quietly store documents
“personal device use” becomes normal without controls
This inventory is how you stop cybersecurity from becoming “hope.”
What Counts as a “Device”
When most companies hear “device inventory,” they think laptops and desktops. But for the mortgage industry, you must also include:
1) Mobile phones (company-owned or BYOD)
Phones are frequently the highest risk device in a small shop because they:
store email attachments
store photos of IDs and documents
allow cloud access to file systems
are easy to lose or steal
2) Tablets
Especially if used for:
email
e-signing
client meetings
3) Printers / copiers / scanners (MFPs)
This is the device category almost everyone forgets.
Many scanners/copiers:
store documents temporarily
store documents permanently
have Wi-Fi access
have default admin passwords
have internal hard drives
4) Network equipment
Even if you are “all cloud,” your router is still:
your gateway to the internet
a target for compromise
often outdated and unmanaged
5) External drives and storage
USB drives
external hard drives
“loan file backup” devices
Step-by-Step: How to Complete FORM 2-90-25
Step 1 — List each device (one row per device)
Start with everything used for business, including BYOD.
Use a consistent “Identifying Name” format, such as:
TM-Laptop-01
Office-Desktop-01
Scanner-FrontDesk
Router-MainOffice
iPhone-JSmith
Why this matters: If you ever have an incident, you need a device name that makes sense in a crisis.
Step 2 — Identify the device type
Use the “Type” column to classify the device clearly, such as:
Laptop
Desktop
Phone
Tablet
Printer/Scanner
Router/Modem
External Drive
Practical tip: If you don’t list printers/scanners here, you’re missing a major NPI exposure point.
Step 3 — Record the serial number (where applicable)
Serial numbers matter for:
insurance
theft reports
warranty tracking
proving which device was issued to which employee
If a device does not have a serial number (or it’s difficult to locate), use:
a sticker label ID
or “N/A” with a comment in your notes
Step 4 — Assign the device to a person (or location)
Complete the “Assigned To” field.
This is critical for:
accountability
offboarding
incident response
Example entries:
John Smith
Loan Processing Desk
Front Office
Conference Room
Step 5 — Remote wipe enabled (YES matters more than you think)
This is one of the most important columns on your form.
Remote wipe should be YES for:
phones
tablets
laptops (if managed via MDM or Microsoft/Google device controls)
Why this matters: A stolen phone with email access is a data breach waiting to happen.
Step 6 — Track last software update (or at least month/year)
This is not meant to become IT micromanagement. It is meant to answer the most common examiner's question:
“How do you know devices are updated?”
A simple entry like:
“2026-02”
“2026-01” is often enough for small companies.
Step 7 — Wired vs Wi-Fi (this matters for office devices)
This seems minor, but it’s not. A Wi-Fi printer or scanner:
is more likely to be misconfigured
is more likely to be on the wrong network
is more likely to be accessible to guests
If a printer/scanner is Wi-Fi enabled, it should be reviewed for:
password changes
guest network separation
admin access restrictions
Step 8 — Record the operating system
This matters because:
Windows devices need patching + antivirus
macOS devices need patching + encryption
iOS/Android devices need screen locks + remote wipe
If you don’t know, do not guess — record “Unknown” and treat it as a finding.
BYOD (Bring Your Own Device): The Practical Mortgage Risk
BYOD is common in small mortgage companies, and it’s not automatically prohibited. But BYOD creates three common failures:
1) No remote wipe capability
If the phone is personal and not enrolled in management, the company cannot wipe it.
2) No separation between personal and business use
NPI ends up mixed with:
personal photos
personal cloud backups
personal texting
3) No way to enforce updates or screen lock
The company cannot prove the device is secure.
Minimum defensible BYOD controls:
screen lock required
remote wipe enabled (via device enrollment or platform controls)
Email MFA required
No saving customer documents to the device
Are Cell Phones Really a Big Risk?
Yes — and most small companies underestimate this. In the mortgage industry, phones are used for:
scanning documents
texting borrowers
accessing email
accessing document storage
A phone is a portable loan file cabinet. If you inventory nothing else, inventory phones.
The Quiet Devices That Cause Big Problems
These are the “surprise findings” most companies discover:
Printers / scanners
Especially if they:
store scans
have email-to-scan enabled
have default passwords
are accessible from Wi-Fi
Old laptops were kept “just in case.”
These are often:
unpatched
shared
not encrypted
Shared office computers
Shared logins + shared computers = exam findings.
Output
Completing this process gives you a completed FORM 2-90-25 IT Security Physical Inventory spreadsheet, updated at least annually and whenever:
a device is purchased
a device is replaced
a device is reassigned
an employee is terminated
remote work is added
This inventory is not meant to be perfect. It is meant to be complete enough to act on.
Bottom Line
Small mortgage companies don’t need enterprise IT. They need a reliable answer to:
What devices access NPI?
Who uses them?
Are they secured?
Can we disable access quickly?
FORM 2-90-25 is how you prove that you know the answer.