Let's continue with the list of mandatory safeguards:
Access to customer data must be only permitted to authorized users. Examples of access controls include:
password protection for electronic databases
locked doors securing physical files
This should already have been performed as part of the risk assessment process. It is broader than you might think and requires the dealership to consider all locations of customer data not just the DMS and CRM environments. Website appointment scheduling software, personal computers, and cellphones of dealership employees may all contain customer data and should be included in the system inventory.
Secure Development Practices
This requirement reminds us that the Safeguards Rule was not written with the average dealership in mind. That's because the average dealership does not develop its own software. But some do, and even those that do not need to ensure the software they use that involves the transmission processing, and storage of customer data was developed using secure practices.