Subject to the FTC Safeguards Rule? Your first 3 steps.
February 09, 2021
Infosec Policies | Vendor Onboarding
If you are subject to the FTC Safeguards Rule (link), it can be hard to know where to start with your compliance effort. An important first piece of information that you should keep in mind is that the proposed changes to the FTC Safeguards Rule have not yet been adopted. Therefore, your most immediate compliance concerns should focus on fulfilling the text adopted in 2002. Here's where to start:
FTC Safeguards Rule - First 3 Compliance Steps
1. Adopt InfoSec Policies
The FTC Safeguards rule requires you to have an information security plan. Not just a memo to the team about security. Not just a team meeting where security is a topic. Rather, a full information security plan.
Our recommended way to adopt a strong information security plan is to begin with a battle-tested template (not one that you handcraft from File => New), tune it to your organization's particular needs (if necessary), and have everyone on the team review and acknowledge it. This includes new-hires that join after the date on which the plan was initially adopted.
Clients that get started with Havoc Shield often arrive in a situation where they didn't previously have a strong, well-defined information security plan. We can fix that on day #1. Feel free to pull us in to make that happen in your organization.
2. Implement Modern Training
The FTC Safeguards Rule requires employee training. If it sounds unappealing to spend your day drafting a security awareness training session, you aren't alone. Founder-led teams without any cybersecurity professional on-staff are hard pressed to find the time or motivation to create internal security training. Good news: there's rarely a need to create this type of training from scratch, unless you have some extraordinarily unique infosec factors in your particular business.
We recommend that our clients deploy 15-30 minute online / digital training sessions that incorporate interactive quizzes, paired with audit trail logs that track who completed each training (and when). Further, we recommend automatically triggering notifications about training requirements to new employees during onboarding, so that growing teams know that they are always in compliance even as employees come and go.
At Havoc Shield, setting up this type of digital training program is just a few clicks in a rollout wizard. We handle the "fan out" of training tasks to all team members including new ones that join.
3. Review Service Provider Contracts
The FTC Safeguards Rule requires you to enforce security obligations in your agreements with service providers. In other words, if your infosec policies commit to certain security obligations such as requiring multifactor authentication for anyone accessing customer data, you'll want to have a way to ensure that service providers you rely on are doing their part in that too. A policy that is carried out by all employees but disregarded by service providers that have internal access to systems is disjoint and ineffective.
Taking Action on the FTC Safeguards Rule
Although the FTC Safeguards Rule is more involved than the above three items, these items are a great starting point. With policies in place that establish ground rules for security, a trained team, and partners that understand their obligations, your organization will be off to a great start towards implementing a broader FTC Safeguards Rule compliance program.