90 Second Safeguards
90 Second Safeguards is a series created by Mosaic Cyber Security and designed to break down the revised FTC Safeguards Rule into digestible chunks.
Why Comply?
Why Comply with the Revised Safeguards Rule? The original rule became law in 2003 and saw very little enforcement in the years since. Many dealers essentially ignored it with little consequence. But that's why the rule was revised.
Qualified Individual
One of the revised Safeguards Rule's requirements is that a dealership designates a Qualified Individual. What does that mean and who should it be?
Mandatory Safeguards: Risk Assessment and System Inventory
Once a QI has been designated, that person’s first task should be to conduct a Risk Assessment. A Risk Assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.
Mandatory Safeguards: Encryption, MFA, and Continuous Monitoring
A Risk Assessment should tell you what needs to be done. Implementing Safeguards is the doing. Some Safeguards are mandatory. The ones I consider most important include...
Mandatory Safeguards: Access Controls, Systems Inventory, Secure Development Practices
Let's continue with the list of mandatory safeguards...
Mandatory Safeguards: Disposal Procedures, Change Management Procedures, Monitoring and Logging
Here are the last of the mandatory categories of Safeguards under the revised Rule...
Regularly Test Program Effectiveness
Regular testing and evaluation of your Information Security Program is a must. Of all the safeguards the Rule mandates, this one may do the most to actually protect customer data – if it’s done right.
Implement Policies and Procedures for Personnel to Implement your ISP
The greatest threat to customer data security is located between the monitor and the chair – in other words, your own employees.
Oversee Service Providers
The Safeguards Rule requires you to oversee your service providers. In this episode Jim discusses this requirement and its four subparts.
Draft Incident Response Plan
What do you do in the aftermath of a “security event” – anything that results in unauthorized access to or misuse of an IT system and its contents?