Conducting a Risk Assessment at Your Dealership
Once a QI has been designated, that person’s first task should be to conduct a Risk Assessment. A Risk Assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.
Risk Assessments can involve software-driven questionnaires that walk you through common potential risks and can be supported by Vulnerability Scans. Note that vulnerability scans are not the same as Risk Assessments, though they may be part of the Risk Assessment process.
Vulnerability Scans should be conducted at least quarterly. Some solutions run Vulnerability Scans continuously. Risk Assessments need to be conducted regularly which should mean at least annually.
If certain events occur (switching DMS providers, for example) a new Risk Assessment should be conducted before the anniversary rolls around.
Inventory of the Dealership Network
The Rule requires dealers to inventory their networks. Even though that System Inventory is itself a mandatory Safeguard, the logical time to perform this particular task would be during the Risk Assessment process.
Documentation of the Risk Assessment
The Risk Assessment must be recorded in writing. That document should evaluate and categorize identified risks and assess the sufficiency of any Safeguards already in place. It should also designate additional Safeguards to implement that would address any unmitigated risks the Assessment uncovered.
