F&I and Showroom, August 2019
www fi magazine com 22 F I and Showroom August 2019 COMPLIANCE to 10000 per month for such services What exactly would that sum buy The first and essential element is the CISO Among the CISOs duties is to ensure that either continuous monitoring or periodic penetration testing and vulnerability assessments occur Neither is cheap A robust and continuous network monitoring program is typically priced according to the number of networked devices in your IT environment and can quickly escalate to four or five figure price points per month For that princely sum you could expect 24 7 live network monitoring within a vendors security operations center where analysts are constantly monitoring the health of your network Compared to building this function in house this is a bargain But it is expensive however you slice it In the alternative a dealership may conduct periodic penetration testing and vulnerability assessments How often The new rule calls for annual internal and external network penetration testing and vulnerability assessments every six months While network vulnerability assessments NVAs can be somewhat automated which helps keep prices down penetration tests take heavy human involvement and therefore are not easily scalable read expensive Prices vary due to the size and complexity of each individual dealerships IT environment but per test costs can easily exceed 8000 Penetration tests require an ethical hacker to conduct a range of manual tests to emulate a reallife cyberattack then develop a report listing all the vulnerabilities found and how to fix them Returning to the cost of the outsourced CISO the 4000 to 10000 monthly cost can be expected to include at least some of the NVA and pen test expenses And that does not include the internal cost of the senior member of your personnel required to be responsible for the direction and oversight of the CISO And what are CISO duties that need to be overseen Heres a partial list Access controls on information systems including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls Identification and management of the data personnel devices systems and facilities necessary to achieve your business purposes Restricting access at physical locations containing customer information only to authorized individuals Protecting by encryption all customer information held or transmitted by you both in transit over external networks and at rest Adopting secure development practices for in house developed applications utilized by you for transmitting accessing or storing customer information and procedures for evaluating assessing or testing the security of externally developed applications you utilize to transmit access or store customer information Implementing multifactor authentication for any individual accessing customer information Including audit trails within the information security program designed to detect and respond to security events Developing implementing and maintaining procedures for the secure disposal of customer information in any format that is no longer necessary for business operations or for other legitimate business purposes Adopting procedures for change management Developing and implementing policies procedures and controls designed to monitor the activity of authorized users and detecting unauthorized access or use of or tampering with customer information by such users Not only must the CISO perform the duties contained in the Safeguards Rule he must document the steps taken to satisfy it That written report must be made at least annually and submitted to senior management The report must demonstrate security efforts overall level of risk must be measured through some sort of tangible method in order to track progress A check the box report simply wont do The bottom line here is that what has always been best practices under the original Safeguards Rule is about to become mandatory The proposed new rule has not been finalized yet so its requirements may still change But change is coming and it will require a significant effort on the part of dealerships to comply That effort will not come cheap Sorry ABOUT THE AUTHOR James S Ganther Esq is the co founder and CEO of Mosaic Compliance Services He is a dealer compliance expert and a prolific writer and speaker Email him at jim ganther@ bobit com The author estimates salaries for full time CISOs will start at about 100000 a prohibitive amount for a single point dealer GETTYIMAGES COM ND3000
You must have JavaScript enabled to view digital editions.