Written Annual Report
All of the risk assessments, vulnerability scans, and monitoring results need to be packaged up and presented to your Board of Directors at least annually. If you don’t have a board of directors it must go to the highest level of management or ownership. This document must be very thorough, and represents a significant effort.
Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information:
(1) The overall status of the information security program and your compliance with this part; and
(2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.
The Rule requires an annual report which should memorialize the effectiveness of the Information Security Program. Risk assessments need to be conducted periodically and should always occur after a security event or a significant change to the dealership’s information systems such as changing a DMS provider. S2 ORG makes this and the required annual report a simple task. S2 Org's robust risk assessment platform empowers you to generate your annual report anytime, with a click.