REQUIRED INFORMATION SECURITY PROGRAM COMPONENTS
The safeguards required by the newly updated GLBA/FTC Safeguards Rule are simple to implement for a trained team like the cyber security team here at WOM Technology Management Group. In the past, the most difficult part of cyber security implementations for small businesses has been cost and complexity. At WOM Technology Management Group, our minimum required level of cyber security for our clients exceeds the requirements of the FTC regulation and we have mastered the task of scaling down these implementations to make them affordable and manageable for companies with as few as one employee/owner. The following is a brief explanation of some of the major compliance measures required by the FTC Safeguards Rule and all listed measures are included in our most basic managed cyber security service plan:
Download the FTC Safeguards Rule Checklist
Click or tap the image to download your checklist and make sure you’re compliant and prepared for the new regulatory changes coming your way.
Businesses must implement and periodically review access controls, which are security measures designed to administer who can access your customers’ information. For example, an organization might require employees to log in with a unique user ID and password, or they might use an electronic key card system. The key is to ensure that only authorized individuals can access customer information and that they can only access the information they need to do their job. Once access controls are in place, remember to review them regularly.
One of the first steps in protecting your data is to conduct a periodic inventory, noting where and how data is gathered, stored, and transmitted. This will help you keep an accurate list of all systems, devices, platforms, and personnel that have access to your data. By keeping track of these things, you can quickly identify any potential security risks and take steps to mitigate them.
Encryption is a process of transforming readable data into an unreadable format. It prevents anyone who does not have the key from being able to access the information. Encryption is critical to any comprehensive data security program and is necessary to comply with the FTC Safeguards Rule.
If your business has developed custom applications that store, access, or transmit customers’ personal information, it is critical that you evaluate whether they meet FTC safeguarding standards.
Organizations are required to implement Multi-Factor Authentication (MFA) to access company applications or customer data. MFA adds an extra layer of security to data access by requiring users to provide more than one authentication factor when logging in.
CUSTOMER INFORMATION DISPOSAL
Businesses must take reasonable measures to protect consumer information by securely disposing of any data within two years of serving a customer. The rule applies to paper records and electronic data, and it establishes guidelines for both the storage and destruction of customer information.
Businesses must anticipate changes to their information systems to comply with the new regulations, including new equipment, technology, software, updates, or personnel changes that could affect customer information security.
Organizations are required to take steps to protect customer information from unauthorized access. It is recommended that businesses implement continuous monitoring protocols as they must keep a log of all access, including authorized users and unauthorized users, and take proactive steps to prevent it from happening in the first place.
A proper cyber security implementation process ALWAYS begins with a cyber security risk assessment. Our team works with business owners, internal IT managers/departments and managed IT service providers to make sure that businesses like yours are secure and compliant and leaders like you can be confident in knowing that your IT and Cyber Security are properly managed.
Read the full FTC.gov article here: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know