The risk assessment is intended to help you get your arms around the scope of potential threats to customers’ NPI. If it uncovers areas of weakness, you now know where you should focus your efforts on improving your Safeguards Program.
Conducting a Risk Assessment
Once a QI has been designated, that person’s first task should be to conduct a risk assessment. A risk assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.
Risk assessments can involve software-driven questionnaires that walk you through common potential risks, and can be supported by vulnerability scans. Note that vulnerability scans are not the same as risk assessments, though they be part of the risk assessment process. Vulnerability scans should be conducted at least quarterly (some solutions can run vulnerability assessments continuously); risk assessments need to be conducted “regularly,” which should mean at least annually.
The Rule requires dealers to inventory their networks. Even though that system inventory is itself a mandatory safeguard, the logical time to perform this particular task would be during the risk assessment process.
The risk assessment must be recorded in writing. That written document should evaluate and categorize identified risks, and assess the sufficiency of any safeguards already in place. It should also designate additional safeguards to implement that would address any unmitigated risks the assessment uncovered.
What is a Risk Assessment?
A risk assessment is an effort of identifying and analyzing potential events, hazards, or vulnerabilities that could negatively impact your employees, your customers, and/or your business as a whole.
In the context of the Safeguards Rule your primary risk factor is going to be your dealership’s computer network (and of course, the employees who interact with it), but don’t forget, the Safeguards Rule covers not only the technical aspects of your business but the physical and administrative aspects as well.
A comprehensive risk assessment will first look for areas of potential weakness in your dealership’s computer network. This is usually accomplished by contracting a vendor to conduct a Network Vulnerability Assessment.
Second, it will identify areas of concern when it comes to handling physical documents that contain non-public personal information and look at how those documents are stored and who has access to them.
Finally, it will address how customer NPI is collected both in paper form and electronically and identify who is responsible for that data.
Once you have a Qualified Individual to oversee your dealership’s information security program, your first job is to see that a security risk assessment is conducted. Carrying out the risk assessment will probably be the Qualified Individual’s duty.
The Safeguards Rule does not require the Qualified Individual to perform this task personally – an outside consultant can do it. But the Qualified Individual is responsible for either doing it or seeing that it is done right.
How do I conduct a risk assessment?
A risk assessment is not difficult, but it can seem intimidating if you’ve never done one before. Remember that the purpose of the Safeguards Rule is to protect customers’ nonpublic personal information (or “NPI”) from unauthorized access or use.
A risk assessment, then, should identify those places or circumstances where such information resides and can be at risk. Because customer information can exist in both physical and electronic forms, the risk assessment will need to examine both the dealership’s physical layout and its computer network.
A good way to organize a risk assessment is to trace customer information throughout its life cycle at your dealership. Begin where the information is gathered and consider every point where it is processed, recorded, transmitted, and stored.
Your Qualified Individual should have an understanding of how the dealership functions, the sales, and finance process, and the individuals who are responsible for collecting and using customer data at each step in the transaction.
Why is a risk assessment important?
The risk assessment is intended to help you get your arms around the scope of potential threats to customers’ NPI. If it uncovers areas of weakness, you now know where you should focus your efforts on improving your Safeguards Program.
It is a bit like a doctor diagnosing a patient: now that we know what is wrong, we can prescribe a remedy. After completing the risk assessment, the next step is to design and implement safeguards to address the risks you have identified.
Creating a risk assessment is the first step in building a robust Safeguards Program for your dealership. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a Safeguards Consultation today or get started now by filling out our Network Status Questionnaire.