Qualified Individual – each dealer must appoint a qualified individual to carry out and supervise your information security program.
Risk Assessment – a risk assessment must be carried out to identify points of vulnerability, so they can be addressed immediately by your team.
Implement Safeguards To Manage Risk – some of the safeguards you should be putting in place include a review of Access Control, knowing what information you have and where it’s stored, encryption of stored data both where it resides and when it’s in transit, a thorough assessment of your in-house apps and third-party apps, multi-factor authentication for information access, a secure method of disposing of customer information, allowing for change implementation on your information system, maintaining a log of authorized activity as well as unauthorized activity, monitoring and testing your safeguards.
Staff Training – since employees are often the weakest point in any security system, employees need to be trained, and that training needs to be periodically refreshed so the training can sink in.
Monitor Service Providers – anyone you do business with must have the same safeguards in place that you are required to.
Information Security Program Currency – your program must be kept current at all times, and that means applying whatever updates are necessary when they are necessary.
Incident Response Plan – each dealer must have a formal written incident response plan which identifies the personnel on the response team, as well as what their approach will be to resolving incidents.
Report To Board Of Directors – whomever you have designated as you’re Qualified Individual must provide an annual report to the Board of Directors (or at least senior management) on the status of your information security system.