For those of our LibertyID Business Solution clients that fall under the FTC Safeguards Rule, here is a checklist of the steps that need to be taken to be in compliance.
1. Appoint a Qualified Individual to implement and oversee your information security program.
2. Conduct a security risk assessment. Administer an assessment of foreseeable risks and threats, including internal/external factors that could compromise customer confidentiality. Think through all the ways unauthorized access could occur.
3. Implement security safeguards. Design company security measures that identify and control the risks found during your risk assessments, vulnerability scans, and penetration testing. Your safeguards should include the following:
- Create access controls to administer who can access your customer’s information.
- Inventory where and how data is gathered, transmitted, and stored.
- Encrypt data at rest and in transit.
- Custom applications should be evaluated for how customer information is stored, accessed, or transmitted.
- Require Multi-Factor Authentication (MFA) to access company applications or customer data.
- Properly dispose of personal information within two years of serving a customer unless doing so conflicts with state or federal laws.
- Anticipate and manage change to your environment, systems, equipment, technology, and personnel.
- Log user activity and monitor both authorized and unauthorized access.
4. Enforce testing of your systems. Theoretical safeguards are great, but without consistent testing of their effectiveness, your safeguards will inevitably become outdated and ineffective. Ongoing risk assessments are critical and should be complemented with annual vulnerability scans and penetration testing.
5. Provide Security Awareness Training for your staff. The security of customer data can be reduced to your weakest link. Ensure everyone associated with the business is equipped to spot cybersecurity risks and threats.
6. Monitor your third-party partners. While it should be assumed that all vendors or service providers are up to date on the appropriate safeguards, it just isn’t the case. Make sure your agreements are clear about your industry’s security standards, and once you push forward with their services, make sure they continue to share their ongoing security credentialing.
7. Revisit your information security program. To ensure your security plan is relevant within the ever-changing cybersecurity landscape, your team needs to understand how changes to your processes, network, systems, technology, equipment, and applications will affect your compliance.
8. A written incident response plan is critical. Nobody can predict the future, but we can plan for it. Businesses need a set of thoughtful response and recovery protocols for when they have a security event.
9. Qualified Individual reports directly to your Board of Directors. Your Qualified Individual must provide at least one compliance report per year to your organization’s board of directors or senior officer responsible for your information security program.
Does your business need to comply to the FTC Safeguards Rule? Check out our What Business Must Follow the New FTC Safeguards Rule blog or contact us directly at 844-445-4237 for more information.
LibertyID Business Solutions provides Business fraud remediation, full pre-breach preparation with custom WISP protocols, post-breach regulatory response, customer, and employee identity fraud restoration management, advanced employee training, and third-party vendor management tools.