Let's continue with the list of mandatory safeguards:

Access Controls

Access to customer data must be only permitted to authorized users. Examples of access controls include:

• password protection for electronic databases

• locked doors securing physical files

Systems Inventory

This should already have been performed as part of the risk assessment process. It is broader than you might think and requires the dealership to consider all locations of customer data not just the DMS and CRM environments. Website appointment scheduling software, personal computers, and cellphones of dealership employees may all contain customer data and should be included in the system inventory.

Secure Development Practices

This requirement reminds us that the Safeguards Rule was not written with the average dealership in mind. That's because the average dealership does not develop its own software. But some do, and even those that do not need to ensure the software they use that involves the transmission processing, and storage of customer data was developed using secure practices.

A Risk Assessment should tell you what needs to be done. Implementing Safeguards is the doing. Some Safeguards are mandatory. The ones I consider most important include:

Encryption

Customer data needs to be encrypted both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. A review of the systems inventory should shed some light on where the data resides the requires encryption.

Multi-Factor Authentication (MFA)

This is a big one. The factors include:

• Knowledge, such as knowing a password.

• Possession, such as a one-time code sent to a smartphone that you possess

• Inherence, such as a fingerprint, facial, or retina scan.

Access to customer data requires the use of more than one type of factor. For example, a Knowledge Factor like a password and an Inherence Factor like a fingerprint. Two knowledge factors won't do.

Continuous Monitoring

What the rule calls Continuous Monitoring is commonly called Endpoint Detection and Response or EDR in the IT world. It involves engaging a Security Operation Center or SOC to monitor your network 24/7/365 to detect intrusion attempts and shut them down. It is not cheap but it's very effective.

Conducting a Risk Assessment at Your Dealership

Once a QI has been designated, that person’s first task should be to conduct a Risk Assessment. A Risk Assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.

Risk Assessments can involve software-driven questionnaires that walk you through common potential risks and can be supported by Vulnerability Scans. Note that vulnerability scans are not the same as Risk Assessments, though they may be part of the Risk Assessment process.

Vulnerability Scans should be conducted at least quarterly. Some solutions run Vulnerability Scans continuously. Risk Assessments need to be conducted regularly which should mean at least annually.

If certain events occur (switching DMS providers, for example) a new Risk Assessment should be conducted before the anniversary rolls around.

Inventory of the Dealership Network

The Rule requires dealers to inventory their networks. Even though that System Inventory is itself a mandatory Safeguard, the logical time to perform this particular task would be during the Risk Assessment process.

Documentation of the Risk Assessment

The Risk Assessment must be recorded in writing. That document should evaluate and categorize identified risks and assess the sufficiency of any Safeguards already in place. It should also designate additional Safeguards to implement that would address any unmitigated risks the Assessment uncovered.