There are three primary objectives that an information security programmust meet and have written policies in place to support. A security programmust: • Ensure the safety and confidentiality of customer information; • Protect against threats or hazards to the security and integrity of customer information; and • Protect against unauthorized access to customer information. Eight Elements to Include in Your Information Security Program To best meet the primary objectives the FTC established, eight elements must be included in your dealership’s information security program: 1. Establish a designated Qualified Individual who oversees and enforces the information security program. A qualified individual must have some level of information security training and knowledge. This individual is held accountable for issues that may arise due to a security event. A Qualified Individual can be a third-party vendor. 2. Conduct periodic risk assessments on the various security risks to customer information. This must be documented and include the risks or threats found and how they are addressed in the information security program. The documents should include the steps that have been made to ensure confidentiality, integrity and availability. 3. Implement customer information safeguards. These safeguards include access control, inventory of all systems, data encryption, secure development practices, Multifactor Authentication (MFA), data disposal procedures, change management procedures, and monitoring and logging authorized user activities. This would be covered through continuous monitoring. If a system for continuous monitoring is not in place, biannual vulnerability assessments must be completed. 4. Test or monitor the effectiveness of the various security controls used to detect attempted attacks on the systems that hold customer information regularly. 5. Put policies and procedures in place to ensure that employees can enact the information security program. Employees must have sufficient information and training on the security risks. The training program must also integrate the new and evolving security risks. Put policies and procedures in place to ensure that employees can enact the information security program. continued on page 22 21
RkJQdWJsaXNoZXIy ODQxMjUw