We've assembled this information as a proactive approach to providing our compliance information to our partners. This information is focused on the specific elements of the FTC ruling document 16 CFR § 314.4. Each paragraph and item from the rule document's section 314.4 is addressed below.
We have created a concise, downloadable questionnaire with our answers pre-filled in for you to make evidence gathering easier.
(a) A qualified individual responsible for overseeing, implementing, and enforcing our information security program has been designated. (a)(2) A senior member of Quality Assurance, Inc. is designated to be responsible for direction and oversight of the Qualified Individual.(a)(3) Our qualified individual, via a third-party is required to maintain an information security program that protects Quality Assurance, Inc. in accordance to the requirements of 16 CFR 314.4
(b)(1) We base our security program on multiple factors, including a risk assessment, which identifies reasonably foreseeable internal and external risks.
(b)(1)(i, ii, iii) This assessment fulfills the criteria requirements outlined in this part.(b)(2) Our security program necessitates a minimum frequency of an annual risk assessment meeting the criteria and requirements required in 16 CFR § 314.4 (b).
(c)(1)(i, ii) Authorization and access controls are reviewed at regular intervals and during key events (partner dealership, employee, or contractor onboarding/offboarding) to ensure the appropriateness of access. Users responsible for their respective data domain (e.g.: a dealership and it's service customers) are also able to manage certain levels of access to their corresponding data at their leisure. Forms of authentication are in place at all facets involving data covered under 16 CFR 314 under our stewardship. (c)(2) Data, personnel, devices, systems and facilities are identified and managed pursuant to our risk assessment and secrity program.(c)(3) Any customer data under our stewardship is encrypted both in-transit and at-rest with the following exception:
(c)(4) Our development practices are subject to the access controls aforementioned in this section. Any sensitive code or information is stored encrypted and behind access controls. Retention of customer data in source control or testing environments is prohibited by policy.(c)(5) Access to information systems requires multi-factor authentication or compensating factors such as:
(c)(6)(i, ii) Processes for securely disposing of customer data are followed as needed. As a core component of our business offerings in data analytics, we retain data unless asked to expunge it from our system, in which case the secure disposal processes is followed. The volume and nature of data retained is periodically reviewed for relevance, and disposed of as necessary.(c)(7) We follow an adapted ITIL change management process that fits the needs of the business. Changes are documented and approved in a ticket system as a part of our security program to manage user access to data, or major software changes involving non-anonymized data. (c)(8) User access of information systems and developed software products is logged and retained for a long duration. High level monitoring of information systems is performed to detect attacks against services. Automated measures such as account locking after failed attempts, and certain key user management activities (e.g.: password reset) which trigger notifications is also in place.
(d)(1) We regularly perform security assessments to determine the effectiveness of the safeguards' keycontrols, systems, and procedures(d)(2) Monitoring of multiple factors such as infrastructure, application, user and integrations is in place. Logs and metrics are reveiwed periodically, and instrumentation is in place to automatically notify on various security-centered criteria. System changes are managed through Infrastructure As Code (IaC), which we use to monitor drift. Code and dependencies are scanned for vulnerabilities and remediation occurs within a short SLA. System dependencies/software in scope for FTC Safeguards are patched within a very short SLA as well. (d)(2)(i) Penetration testing of our systems as a whole by is not performed annualy due to the financial impacts of such an engagement. We engage with our industry expert partners on a regular basis to penetration test new applications, or material changes to systems. (d)(2)(ii) Systematic scans of information systems in scope to identify security vulnerabilities is performed automatically at a frequent basis. Vulnerability assessments are a part of our Information Security Program review process.
(e)(1, 3) Personnel are required to periodically review security awareness training materials. Those materials cover general information security best-practices, and if applicable, focused on security risks identified by our risk assessments or Information Security Program. (e)(2, 4) Quality Assurance, Inc. engages with industry experts who are qualified to contribute to our security posture and our Security Information Program. These expert providers are consistently engaged in maintaining knowledge of the changing information security landscape, technologies and security threats.
(f)(1, 2) Service providers are chosen carefully to ensure they have the capability to maintain safeguards as required by FTC Safeguards. Maintaining appropriate controls is required by contract to protect customer information as required by FTC Safeguards. (f)(3) Our service providers are evaluated regularly to ensure appropriate safeguards and best-practices are employed to protect customer information as required by FTC Safeguards.
(g)(1) Quality Assurance, Inc. uses multiple factors to drive our Information Security Program, including our regular risk assessment and systems monitoring review. These factors are used to evaluate and adjust our Information Security Program.
(h)(1, 2, 3, 4) We have developed an incident response plan which defines internal processes, roles and responsibilities, as well as a communication strategy. This is reviewed regularly along with our Information Security Program and risk assessments.(h)(5) Our Information Security Program addresses the identification and remediation of any identified risks in systems and controls.(h)(6, 7) The incident response plan is reviewed regularly along with our Information Security Program and risk assessments. The plan also includes documentation criteria for security events.
(i)(1, 2) Our Information Security Program includes a regular risk assessment report. The report also contains higher level concerns with regard to compliance, risk management, security events and general recommendations for progressing the Information Security Program. This information is prepared by our Qualified Individual and reviewed with senior leadership. You can read the full text of the FTC Safeguards Rule (16 CFR § 314) at the Federal Register, or get a basic summary.
Please don't hestitate to contact us if you have any questions or concerns regarding our complaince stance in partnership with your dealership.