Simplifying the FTC Written Information Security Program (WISP) Guidelines

As you have hopefully heard by now, the Federal Trade Commission (FTC) recently issued complicated new amendments to its Safeguards Rule, which require dealers to undertake a series of procedural, technical, and contractual steps in order to protect personal data handled or maintained by them or their affiliates. The amended Rule’s requirements must all be completed by December 9, 2022. There is quite a lot that dealers must do if they hope to ensure compliance by the deadline. With December approaching fast, the time to act is now. 

Dealerships need to develop a Written Information Security Program (WISP) that contains administrative, physical, and technical safeguards. Magna5 developed a WISP that firmly adheres to these requirements with appendices that provide clarification. Dealerships may purchase templates for a flat fee or work with Magna5’s Virtual CISO services to write and implement their WISP.   

The following list outlines the requirements in the Safeguards Rule. 

Requirement 1: Designate a Qualified Individual to implement and supervise your information security program. They need a ‘qualified employee’, i.e., a CISO-like employee responsible for overseeing and implementing a security program. To that end, Magna5 can support your dealership with vCISO and Managed Detection and Response (MDR) services. Requirement 16 mandates that this qualified employee report in writing to the board or governing body at least annually. 

Requirement 2: Conduct a risk assessment. This differs from the WISP, but a risk assessment policy is added as an appendix to the WISP. It must be written and include criteria for evaluating internal and external threats to confidential data that you are responsible for. Magna5’s vCISO can help your team with their risk assessment annually under a separate project. 

Requirement 3: Implement and periodically review access controls. Dealerships need to enforce access control policies and the means with which to enact them. They need to implement principles of least privilege access and reevaluate them. This requirement might be partially covered by an onboarding and offboarding program, provided as an appendix to the WISP. Dealerships must determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it. 

Requirement 4: Know what you have and where you have it. This element is covered within WISP Policy, but Magna5’s best-in-class patch management, endpoint protection, and MDR threat hunting programs can implement the protocols. 

Requirement 5: Encrypt customer information on your system and when it’s in transit. Encrypting Windows devices with Bitlocker is necessary. More importantly, encrypting network traffic is essential to this rule. Magna5 can work with your teams to bolster existing firewalls and ensure that dealership and customer data is protected. 

Requirement 6: Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security. Magna5 can provide these services with routine monitoring and vulnerability scanning. 

Requirement 7: Implement multi-factor authentication for anyone accessing customer information on your system. Implement MFA on VPN and O365 as well as Active directory. Magna5’s skilled engineers can help you fine tune your active directory or implement MFA across your environment. 

Requirement 8: Dispose of customer information securely. This policy component is included in the WISP. 

Requirement 9: Anticipate and evaluate changes to your information system or network. The Safeguards Rule requires financial institutions to build change management into their information security program so as not to undermine existing security measures. Magna5’s WISP contains a change management policy that dealerships can use as a guide for navigating architectural changes across their environment. 

Requirement 10: Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Magna5 can work with your dealership to implement Security Information and Event Management solutions which log data for as long as is necessary to meet your compliance needs. 

Requirement 11: Regularly monitor and test the effectiveness of your safeguards. Magna5 includes guidance for this process in the WISP. We have partnered with crisis managers who professionally run exercises and can work with you to discover shortcomings and oversights in your current plans. 

Requirement 12: Train your staff. Cybersecurity training and phishing tests are critical. Magna5 can provide a mix of automated and live training to your employees on the topics of cybersecurity and insider threats. 

Requirement 13: Monitor your service providers. Magna5 is SOC2, HIPAA, and PCI compliant. Included in the WISP is a Third-Party Vendor Risk Management Policy that will help you in vetting your service providers to ensure that your data along the supply chain is secure.  

Requirement 14: Keep your information security program current. Magna5 includes this policy in the WISP. We can assist your dealership by implementing vulnerability scanning, penetration testing, zero trust policies, and endpoint/server monitoring.

Requirement 15: Create a written incident response plan. This is the linchpin of this program. It will guide you through what is necessary to implement all FTC safeguards.  

Requirement 16: Require your Qualified Individual to report to your Board of Directors. The Qualified Individual must report in writing regularly – and at least annually – to the Board of Directors or governing body. This requirement is covered in the WISP.

 Get in Contact with Magna5 today for help getting compliant.  The revised safeguards rule issued by the FTC is a critical issue with a critical deadline (December 9, 2022) – if you have not focused on this new rule, it’s time to do so!