Continuous Monitoring or Vulnerability Assessments
Regular testing and evaluation of your Information Security Program is a must. Of all the safeguards the Rule mandates, this one may do the most to actually protect customer data – if it’s done right. This requirement can be satisfied by employing either continuous monitoring (often called “EDR” – for endpoint detection and response) or twice-yearly vulnerability assessments and a penetration test once a year. While both approaches satisfy the Rule, continuous monitoring is the way to go if your intention is to actually protect customer data. That’s because continuous monitoring does just that – it monitors attempts to breach your network 24/7/365, allowing rapid response in real time if an attack is detected. Just running a vulnerability scan twice a year only gives you a semi-annual snapshot of what your vulnerabilities are. EDR gives you an ongoing movie of your security posture.
Defensible and Insurable
And this leads to an important concept: your ISP must be both defensible and insurable. Although satisfying the bare minimum requirements of the Rule may protect your dealership from a deceptive trade practices claim, it won’t protect you from a negligence claim if a preventable breach occurs that your semi-annual vulnerability scans did nothing to prevent. And as a practical matter, you probably won’t be able to get a cyber liability insurance policy unless you employ EDR at your store. Whatever solution you go with, be sure it is both defensible and insurable.