Page 7 - MIADA-Q4-2022
P. 7
their entire network, not just the slices that the DMS and CRM environments. PROCEDURES. Changes to a
might hold customer data. Dealers need to Websites, appointment scheduling dealership’s IT infrastructure can
protect their own data, too. software, personal computers and cell introduce new risks. Those risks
phones of dealership employees may need to be recognized and addressed.
Risk assessments can involve software- all contain customer data and should Change management procedures are
driven questionnaires that walk you be included in the system inventory. how that’s done. NADA included a
through common potential risks, and can • ENCRYPTION. Customer data needs sample Change Management Policy
be supported by vulnerability scans. Note to be encrypted, both in transit and in its Dealer Guide to the FTC
that vulnerability scans are not the same as at rest. Fortunately, many software Safeguards Rule.
risk assessments, though they be part of the applications have system settings • MONITORING AND LOGGING OF
risk assessment process. Vulnerability scans that can be configured to accomplish AUTHORIZED USER ACTIVITY.
should be conducted at least quarterly (some this at no cost. Review of the systems All system use must be logged; that
solutions can run vulnerability assessments inventory should shed some light on is, authorized users’ activity must be
continuously); risk assessments need to be where the data resides that requires recorded and unauthorized use must
conducted “regularly,” which should mean encryption. be detected. The Rule doesn’t specify
at least annually. If certain events occur • SECURE DEVELOPMENT PRAC- how dealerships must accomplish
(switching DMS providers, for example), a TICES. This requirement reminds this requirement, but one way is to
new risk assessment should be conducted me that the Safeguards Rule was not engage a Security Operations Center
before the anniversary rolls around. written with the average dealership (“SOC”) to handle the task. Machine
in mind. That’s because the average learning over time can allow the
The Rule requires dealers to inventory dealership does not develop its own SOC to distinguish authorized from
their networks. Even though that system software. But some do, and even those unauthorized behavior. For example,
inventory is itself a mandatory safeguard that do not need to ensure that the the SOC my company employs sent
(discussed below), the logical time to sources of the software they use that an alert when someone logged into
perform this particular task would be involves the transmission, processing our network at 11:00 p.m., long after
during the risk assessment process. and storage of customer data was de- normal business hours. Turns out it
veloped using secure practices. was our COO doing some late night
The risk assessment must be recorded in • MULTI-FACTOR AUTHENTICA- work, but now our SOC recognizes
writing. That written document should TION. This is a big one. The factors that off-hours access from his home
evaluate and categorize identified risks, include knowledge (such as knowing a computer is “authorized.”
and assess the sufficiency of any safeguards password), possession (such as a one-
already in place. It should also designate time code sent to your smart phone), REGULARLY
additional safeguards to implement that and inherence (such as a fingerprint, TEST PROGRAM
would address any unmitigated risks the facial or retina scan). Access to cus- EFFECTIVENESS
assessment uncovered. tomer data requires use of more than
one type of factor, say a knowledge You cannot expect what you cannot inspect,
IMPLEMENT SAFEGUARDS factor (password) and an inherence so regular testing and evaluation of your
factor (fingerprint). Two knowledge Information Security Program is a must. Of
The risk assessment should tell you factors won’t do. all the safeguards the Rule mandates, this
what needs to be done. Implementing • DISPOSAL PROCEDURES. When one may do the most to actually protect
safeguards is the doing. Some safeguards you no longer need customer data, it customer data – if it’s done right. This
are mandatory: must be disposed of in a secure man- requirement can be satisfied by employing
ner. Paper records should be shred- either continuous monitoring (often called
• ACCESS CONTROLS. Access to ded; electronic records deleted. Used “EDR” – endpoint detection and response)
customer data must only be permitted computers that contain customer data or semi-annual vulnerability assessments
to authorized users. Examples of access must be scrubbed. And data must be and an annual penetration test.
controls include password protection kept no longer than necessary. The
for electronic databases and locked Rule would like to see customer data IMPLEMENT POLICIES
doors securing physical files. disposed of within two years, but rec- AND PROCEDURES
• SYSTEM INVENTORY. This should ognizes that it may be retained for FOR PERSONNEL TO
already have been performed as part longer if required by law or there are IMPLEMENT YOUR ISP
of the risk assessment process. It is legitimate business reasons to do so.
broader than you might think, and This is a good topic to discuss with The greatest threat to customer data
requires the dealership to consider all your local counsel. security is located between the monitor
locations of customer data, not just • CHANGE MANAGEMENT Continued on next page
MSIADA MISSISSIPPI DEALER Q4 2022 | 7
