Appoint a single qualified individual: Designate someone who can responsibly oversee implementation, oversight and enforcement of your information security program.
Train employees on security awareness: Teach your staff security issues your dealership could face. Qualified information security personnel should understand current security threats and countermeasures. Update the training to address additional threats identified in your risk assessments.
Write your risk assessment: The new rule requires that you conduct a periodic written risk assessment. In your written plan, you must:
- Identify risks to security, confidentiality and integrity that could compromise customer information.
- Clearly describe how your company will address those risks, including the specific tactics you will use.
- Reassess the sufficiency of the safeguards you have in place to control the risks.
Install the required safeguards: Implement and periodically review your administrative, electronic, technical and physical safeguards that protect customer information. Consider who has access to the information, where and how you store the data and what types of data you collect.
Other required safeguards are:
- Implement and periodically review access controls to protect against unauthorized access.
- Conduct a data and systems inventory. Identify how you collect and circulate customer information.
- Encrypt customer information while it’s in transit and at rest.
- Install multifactor authentication to log in to your systems where data is stored.
- Develop, implement and maintain procedures to dispose of customer information.
- Periodically review your data retention policies to minimize unnecessary data retention.
- Adopt change-management procedures.
- Log user activity and unauthorized access.
Conduct annual penetration testing: Continuously monitoring your information systems is difficult and expensive. In lieu of that, conduct an annual penetration test — also known as ethical hacking. Most dealers will hire a third party to assist them with this process, which involves launching actual or simulated cyberattacks to uncover weaknesses.
Conduct biannual vulnerability assessments: Perform a vulnerability assessment at least every six months and when you have a material change to your business or operations. You’ll evaluate your software, websites and devices for security vulnerabilities. Use one of the inexpensive programs available, or hire a third party to do it for you.
Oversee your service providers: Periodically assess your service providers to determine their level of risk and the adequacy of their safeguards. One way you could do this is to administer a risk assessment questionnaire on a periodic basis.
Develop an incident response plan: Your written incident response plan describes how you will combat security events. Include the goals of the plan, processes for responding to security events and the roles and responsibilities of external and internal parties. Describe who has decision-making authority and define requirements for remediation of system weaknesses. Describe how you will document and report security events and incident responses. Finally, address how you will evaluate and revise the incident response plan following a security event.
Report annually: The qualified individual must report at least every year to the board of directors or equivalent. The report must describe the overall status of and compliance with the program, including all security events that occurred in the past year.