Page 6 - MIADA-Q4-2022
P. 6

A Blueprint for




                 Safeguards Compliance


                              By James S. Ganther, Esq., Founder of Mosaic Compliance Services




        I look at Safeguards Rule compliance from  HVAC, plumbing, painting, structural steel,  structure – you’re going to be following its
        a particular perspective. Let me explain.  roofing, and the list goes on.   guidance soon enough.
        Boniface  Bernhardt  Günther  was  born  in
        1866 in Baden-Baden, Grand Duchy of  The Safeguards Rule is like that: there are   DESIGNATE A
        Baden (the German states wouldn’t coalesce  many necessary elements to compliance,  QUALIFIED INDIVIDUAL
        into a single country until 1872). He studied  and it is  unlikely that  any one company
        the building trades in Bern, Switzerland,  does all those functions with its own forces.  Notice that the Rule requires a Qualified
        returning to his hometown in 1888, where  Safeguards compliance requires policy  Individual, not individuals. There must be
        he became subject to conscription into the  drafting, vulnerability assessments, overall  one person in the dealership, or dealership
        army of the nascent German Empire.   risk  assessments,  a written information  group, whose name is on the blame line.
                                             security program, end-point detection and  The buck needs to stop somewhere.
        At that time, the German Army could keep  response, and the list goes on.
        draftees until they were 50 years old. This                               What qualifies a person to be the Qualified
        did not appeal to young Bernhardt, so he  What is needed is a general contractor –  Individual, or QI? The primary qualification
        fled the country and never returned to his  an entity that can perform some of the  is the ability to oversee the organization’s
        homeland until he was fifty – just in case.  functions with its own forces, and engage  Information Security Program. The QI does
        Like many German draft dodgers of his day,  subcontractors to perform the services it  not need to be a computer science major or
        he wound up in Wisconsin. But instead of  does not. Part of the general contractor role  IT  professional. You  don’t  need  to  know
        settling in Milwaukee, he stayed on the  is to negotiate those subcontractor’s prices  how to conduct a network vulnerability
        north-bound train for another 90 miles.  and manage the overall project. Done right,  assessment to ensure that one has occurred.
        When he got off the train, it was at a town  the client accepts one bid, signs one contract,
        named Oshkosh. The Fraulein waiting for  gets one monthly invoice, cuts one monthly  In fact, many of the necessary tasks can
        him was named Anna.                  check and lets the general contractor worry  be performed by dealership employees or
                                             about the details. Using that analogy, let’s  outside vendors, such as Managed Service
        Like so many fugitives, Boniface changed  examine  the  trades  necessary to build  a  Providers.  But the ultimate responsibility
        his name. He changed Anna’s name, too,  Safeguards Rule compliance program.  cannot be outsourced – it has to remain
        when she married him and became Mrs.                                      within the dealership or group in the
        Ben B. Ganther and my great-grandmother.   THE BLUEPRINT                  person of the QI. That person needs to
        In 1900 – the year my grandfather was                                     report to senior dealership management
        born – Ben founded a construction  The first essential element of a building  or the board of directors if such a board
        company bearing his anglicized name.  project is a set of plans. A roll of  exists. It is a significant role and needs to be
        My  grandfather  eventually  ran  it,  then  construction blueprints shows every layer  treated as such.
        my father. Today, 123 years later, my big  of the necessary work. Want to know where
        brother (named Ben, of course) runs it.  the lighting fixtures go? Go to the reflected   CONDUCT A RISK
                                             ceiling plan page. Wastewater pipes? See      ASSESSMENT
        I guess you could say building is in my  the plumbing page. It’s all there, logically
        blood.                               laid out for a skilled contractor to follow.  Once a QI has been designated, that
                                                                                  person’s  first  task  should  be  to  conduct  a
        The Ganther Company is a general  Fortunately, your Safeguards project  risk  assessment  (it  will  be  one  of  many).
        contractor. Rare is the building firm that can  already has a blueprint, should you choose  A risk assessment is an evaluation of the
        perform all of the varied trades necessary  to use it. NADA’s Dealer Guide to the FTC  internal and external risks to the security
        to erect a modern building. You need  Safeguards Rule acts like such a blueprint.  and  integrity  of  data  on  a  network.  The
        sitework, foundations, utilities, carpentry,  It is detailed, thorough, and discusses all  Rule refers to the security of customer data,
        concrete forming and finishing, electrical,  of the necessary elements. Let’s review its  but in the real world businesses protect




        6  |  MSIADA MISSISSIPPI DEALER Q4 2022
   1   2   3   4   5   6   7   8   9   10   11