Safeguards Services

Mosaic Cyber Security acts in the nature of a general contractor, vetting potential subcontractors and assembling a team to construct a customized solution tailored to each dealership’s unique needs.

Get A Quote

Click below to fill out our Safeguards Status Questionnaire and we will reach out to you shortly with a free quote and consultation. 

Complete Compliance

We aim to provide our clients with a one-stop solution that covers all the requirements of the Rule. Below, you can browse each requirement of the Rule and our solution to each.

Stand Alone Options

Mosaic's Solution covers all the requirements of the revised FTC Safeguards Rule, including physical, technical, and administrative requirements. We also offer stand-alone options so you can build a program that fits your needs or fill in gaps in your existing program.

Qualified Individua.png
Written Information Security Program

A written Information Security Program or “WISP” is the document that defines the administrative, technical, and physical safeguards you will use to protect the customer data that your business collects. Your WISP should address the risks identified in the risk assessment that you conduct and how you plan to mitigate these risks.

Qualified Individua.png
Qualified Individual

The rule requires a qualified individual. There must be one person in the dealership (or dealership group) who has the ability to oversee the organization's Information Security Program.

Qualified Individua.png
Risk Assessment

A Risk Assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.

Qualified Individua.png
Access Controls

Access to customer data must be only permitted to authorized users. Examples of access controls include password protection for electronic databases and locked doors securing physical files.

Qualified Individua.png
Data and Systems Inventory

The Rule requires the dealership to consider all locations of customer data not just the DMS and CRM. Website appointment scheduling software, personal computers, and cellphones of dealership employees may all contain customer data and should be included in the system inventory.

Qualified Individua.png
Encryption

Customer data needs to be encrypted both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. A review of the systems inventory should shed some light on where the data resides the requires encryption.

Qualified Individua.png
Secure Development Practices

The Rule requires dealerships to ensure the software they use that involves the transmission processing, and storage of customer data was developed using secure practices.

Qualified Individua.png
Multifactor Authentication

Factors include knowledge, possession, and inherence. Access to customer data requires the use of more than one type of factor. For example, a Knowledge Factor like a password and an Inherence Factor like a fingerprint.

Qualified Individua.png
Secure Disposal Practices

When you no longer need customer data you must dispose of it in a secure manner. The rule would like to see customer data disposed of within 2 years but recognizes that it may be retained for longer if required by law or if there are legitimate business reasons to do so.

Qualified Individua.png
Change Management

Changes to a dealership’s IT infrastructure can introduce new risks. Those risks need to be recognized and addressed. Change Management Procedures are how that is done.

Qualified Individua.png
Systems Monitoring and Logging

All systems usage must be logged. Authorized users’ activity must be recorded and unauthorized use must be detected. The rule doesn't specify how dealerships must accomplish this requirement but one way is to engage a Security Operation Center or SOC to handle the task.

Qualified Individua.png
Continuous Vulnerability Assessments

Vulnerability Scans should be conducted at least quarterly. Our solution run scans continuously to identify vulnerabilities before they are exploited.

Qualified Individua.png
Continuous Monitoring/End Point Detection and Response

What the rule calls Continuous Monitoring is commonly called Endpoint Detection and Response or EDR in the IT world. It involves engaging a Security Operation Center or SOC to monitor your network 24/7/365 to detect intrusion attempts and shut them down.

Qualified Individua.png
Unauthorized Activity Monitoring

All systems usage must be logged. Authorized users’ activity must be recorded and unauthorized use must be detected. The rule doesn't specify how dealerships must accomplish this requirement but one way is to engage a Security Operation Center or SOC to handle the task.

Qualified Individua.png
Employee & Qualified Individual Security Awareness Training

Unlike the original Rule, the revised Rule requires certain dealership employees to receive ongoing training that covers new threats to customer data as they evolve. Mosaic accomplished this by monthly video update episodes that are coupled with brief tests that confirm the relevant employees understood the content.

Qualified Individua.png
Oversee Service Providers

Our solution provides a software application for managing service provider compliance with the Safeguards Rule. This allows you to retain and track all relevant documentation and information needed to prove service providers’ compliance with the rule.

Qualified Individua.png
Incident Response Plan

Our plan is designed to help you promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the dealership's control.

Qualified Individua.png
Annual Report

All of the risk assessments, vulnerability scans, and monitoring results need to be packaged up and presented to your Board of Directors at least annually. If you don’t have a board of directors it must go to the highest level of management or ownership. This document must be very thorough, and represents a significant effort.