Dealership

Creating a Risk Assessment

The risk assessment is intended to help you get your arms around the scope of potential threats to customers’ NPI. If it uncovers areas of weakness, you now know where you should focus your efforts on improving your Safeguards Program.

What is a Risk Assessment?

A risk assessment is an effort of identifying and analyzing potential events, hazards, or vulnerabilities that could negatively impact your employees, your customers, and/or your business as a whole.

 

In the context of the Safeguards Rule your primary risk factor is going to be your dealership’s computer network (and of course, the employees who interact with it), but don’t forget, the Safeguards Rule covers not only the technical aspects of your business but the physical and administrative aspects as well.

A comprehensive risk assessment will first look for areas of potential weakness in your dealership’s computer network. This is usually accomplished by contracting a vendor to conduct a Network Vulnerability Assessment.

 

Second, it will identify areas of concern when it comes to handling physical documents that contain non-public personal information and look at how those documents are stored and who has access to them.

 

Finally, it will address how customer NPI is collected both in paper form and electronically and identify who is responsible for that data.

Once you have a Qualified Individual to oversee your dealership’s information security program, your first job is to see that a security risk assessment is conducted. Carrying out the risk assessment will probably be the Qualified Individual’s duty.

 

The Safeguards Rule does not require the Qualified Individual to perform this task personally – an outside consultant can do it. But the Qualified Individual is responsible for either doing it or seeing that it is done right.

How do I conduct a risk assessment?

A risk assessment is not difficult, but it can seem intimidating if you’ve never done one before. Remember that the purpose of the Safeguards Rule is to protect customers’ nonpublic personal information (or “NPI”) from unauthorized access or use.

 

A risk assessment, then, should identify those places or circumstances where such information resides and can be at risk. Because customer information can exist in both physical and electronic forms, the risk assessment will need to examine both the dealership’s physical layout and its computer network.

A good way to organize a risk assessment is to trace customer information throughout its life cycle at your dealership. Begin where the information is gathered and consider every point where it is processed, recorded, transmitted, and stored.

 

Your Qualified Individual should have an understanding of how the dealership functions, the sales and finance process, and the individuals who are responsible for collecting and using customer data at each step in the transaction.

If you need help conducting a risk assessment of your dealership’s physical, administrative, or technical Safeguards, Mosaic can help. We provide Audit Services and Network Vulnerability Assessments that help dealers identify risk and take an aggressive stance when it comes to protecting customer data and ultimately the dealership itself.

Why is a risk assessment important?

The risk assessment is intended to help you get your arms around the scope of potential threats to customers’ NPI. If it uncovers areas of weakness, you now know where you should focus your efforts on improving your Safeguards Program.

 

It is a bit like a doctor diagnosing a patient: now that we know what is wrong, we can prescribe a remedy. After completing the risk assessment, the next step is to design and implement safeguards to address the risks you have identified.

Creating a risk assessment is the first step in building a robust Safeguards Program for your dealership. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a demo today or get started now by filling out our Network Status Questionnaire.