7 Fast Steps for FTC Safeguards Rule Compliance
March 23, 2021
Cyber Security | Implementation | Infosec Policies Infosec Policies compliance FTC
Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule (detailed reading here). But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we're offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let's cut straight to the chase:
§314.4 of the FTC Safeguards Rule
We have much to say about §314.4, which describes the elements of how to develop, implement, and maintain your information security program in a way that is satisfactory to the FTC Safeguards Rule. Here, we'll delve into what steps you can take inside of Havoc Shield to prepare for a serious discussion (with your attorney) about your approach to fulfilling your obligations. Here's the step-by-step of what we'd suggest you do in Havoc Shield to be ready for that conversation.
§314.4(a): Designating Employee(s) to Coordinate your Infosec Program
In Havoc Shield there is an unambiguous way to specify precisely which employees coordinate your company's infosec program. Every Havoc Shield account has a Team page where you can add each employee either as a User or as a Group Leader. Group Leaders are the employees that receive administrative rights and action items with regard to making infosec program decisions such as what policies to roll out and which security controls to implement.
Whoever you identify in Havoc Shield as your Group Leaders, you'll want to make sure that if you have any other "off platform" infosec materials/communications, that those same individuals are the ones you are always specifying as your infosec program coordinators.
§314.4(b)(1): Employee Training
This section talks about your obligation to identify reasonably foreseeable internal and external risks and assess the sufficiency of any safeguards. Amongst other things.
One of the first things you could do to make headway on this item (if you are a Havoc Shield customer or if you've created a free trial in Havoc Shield) is to roll out Security Awareness Training. Bonus: our training is typically rolled out in conjunction with phishing simulations.
Regardless of what else you do to evaluate risks and assess safeguards, as it relates to employee training, you'll definitely want to have some fundamental cybersecurity training in place. That's easy; you could roll that out in the next ten minutes inside of the Havoc Shield platform.
§314.4(b)(2): Information Systems
We're continuing on with the theme of identifying reasonably foreseeable internal and external risks and assessing the sufficiency of any safeguards -- but this time through an Information Systems lens.
Do you already have a recurring Risk Assessment Meeting in place, with the right stakeholders, and a register of tracked risks with their associated Likelihood and Impact?
If you don't yet have that, hop into Havoc Shield to roll out our recommended recurring Risk Assessment Meeting template to your team (if you fill in the Team tab correctly, we'll make it easy for you to roll out the calendar invites to them).
You may have some additional obligations related to this set of risks, but having that type of recurring meeting in place is "table stakes" for establishing reasonable safeguards.
§314.4(b)(3): Detecting, Preventing, and Responding to Attacks
Much can be said here (and there are dozens of Havoc Shield program elements that relate to this). However, a great starting point is to ensure that you have recurring web vulnerability scans against your company's web assets.
When you launch recurring web vulnerability scans in Havoc Shield, you are chipping away at your obligations to prevent attacks as required by FTC Safeguards Rule. You'll be able to rapidly see any new web vulnerabilities that we detect, so that you can race to implement remediations.
§314.4(c): Design & Implement Information Safeguards
Two thoughts immediately jump to mind on this point. First, do you have an SDLC policy that discusses your change management processes? At the heart of any design change, you'll need to have some sense of the security implications of the change, and your stance towards evaluating the safety of the change. Doing a rollout of an SDLC Policy with a Change Management section, via Havoc Shield, is a good start.
Second, in your recurring Risk Assessment Meeting (covered previously in this article), are you successfully documenting your progress towards remediating the risks that you have identified? And, for those that you haven't yet fully remediated, are you monitoring the risk level on a recurring basis (via Impact and Likelihood scoring) to make sure that you are thinking critically about the risk? If not, you'll want to.
§314.4(d): Oversee Service Providers
We'll make this one brief: we highly recommend that you implement the Vendor Risk Register in Havoc Shield to track and monitor risks associated with your vendors in a rigorous way. It's a great way to make sure that a risk that you notice doesn't get forgotten or overlooked, as you continue discussions with current (and possible replacement) vendors.
Don't stop there, but maintaining this risk register is a great start towards your vendor oversight responsibilities with regard to FTC Safeguards Rule.
§314.4(e): Evaluate & Adjust Your InfoSec Program
Whether or not you are subject to FTC Safeguards Rule, this one should go without saying. As your business evolves, as your vendor dependencies evolve, as your products/services evolve... your infosec program also needs to evolve. Security isn't something you can "finish" -- it's ever-changing as the threat landscape changes.
We definitely recommend completing the Foundational Cybersecurity Program in Havoc Shield, and watching for additional security controls that we add to that program from time-to-time, but we also urge you to use your policies (feel free to start with our templates) as a discussion point for whether your security controls (and monitoring thereof) is adequate.
FTC Safeguards Rule - Don't Stop Here
This article is just a starting point. It doesn't take into account your unique circumstances, and doesn't delve into every nuance of the rule. However, if you start with the steps we've described in this article, we believe you'll be off to a great start as you work through a more rigorous process of evaluating whether you've met all of your FTC Safeguards Rule obligations. And, we're standing by if you need additional help along the way!