Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hello everyone, and welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you joining us here as we dive into our educational series on the FTC Safeguards Rule Checklist for Compliance. In this series, we are going to go through what the FTC Safeguards Rule is, all of the requirements, all of the penalties, and then in each of the episodes, we'll dive into a very specific checklist item that we've easily documented on our FTC Safeguards Rule Checklist for Compliance checklist that's available in this podcast description and also right on our website.
So, very excited to have you, and without further ado, we will jump right into what the FTC Safeguards Rule actually is. Now, at a very high level, FTC Safeguards Rule requires that you create an information security program to protect consumer information, consumer client information. That is a very high-level statement, very vague statement.
Interestingly enough, it's what used to be all of the guidance that the Graham-Leach-Wiley Act, GLBA, provided related to protecting customer information. What the FTC Safeguards Rule does is provide more specifics to that very general requirement, and what those specifics are, depending on how you count, 9 to 11 core requirements, but what those are, all listed on our checklist, is to designate a qualified individual for your information security program, utilize a risk-based approach to create your information security program, implement appropriate security controls to protect customer information, continually monitor, review, and test those controls, which this needs to include an annual penetration test and semi-annual vulnerability assessments. Your information security program needs to have appropriate policies, procedures, and employee training.
You need to manage service providers appropriately to make sure that they're also properly securing customer data. The information security program must be continually improved and reviewed. You need to have appropriate incident response management procedures and structures in place so you can respond to data breaches effectively.
And finally, there needs to be reporting to senior management at least annually. Those are all the specific checklist requirements for the FTC Safeguards Rule. What we'll do today is actually dive into what it means to designate a qualified individual, how you can easily do that, and some of the common pitfalls, and also resources that we have to make that even easier.
Before we jump into designating a qualified individual, the reason that this is so important is the fines related, the penalties related to not complying with the FTC can be pretty serious. For the business, that can be up to $100,000 per violation just under the FTC Safeguards Rule. It can also be up to $10,000 per violation to senior management.
So that's separate from the business. That's business fines, senior management individual fines. Additionally, there can also be up to five years in prison to senior management per violation.
So not complying with the FTC Safeguards Rule can be very, very costly, not only for the business, but also for each of the different senior management individuals. And in cases where it's a solopreneurship or a very small organization, that line gets very, very blurry between business and individual. So very important to follow the FTC Safeguards.
Diving into today's deep focus, designating a qualified individual. Now, all that really means is that you're specifying someone to be the central figure of your information security program. This is the individual that's going to make sure that it's effective.
They're going to make sure that everything is being properly enforced, that everything is set up, that the appropriate security controls are in place, risk management is being performed. Basically, every item on the checklist is being effectively executed. That's what this individual will be responsible for.
They will also be a direct line between the organization, between suppliers, between everything related to the information security program and senior management. And they'll work with all of the different departments, IT, HR, legal, all of those to make sure that ultimately the information security program requirements are being executed and that they're being executed effectively. They'll essentially manage the full information security program.
That's your qualified individual. Now, some things to make sure that are in place for the qualified individual is that they're actually qualified. And that can be a pretty vague statement.
What essentially you're looking for is that this qualified individual has experience in cybersecurity, risk management, and compliance. They should also have some of the soft skills around leadership, project management, not requirements, but those definitely help. It's also very important that this individual has the authority to enforce all of the measures across the organization, whether that's their direct authority or the authority of working with senior management and senior management enforcing.
So, they must be qualified, they must have the authority, and they need to have the appropriate resources and time and money and personnel to be able to effectively manage, execute, and enforce the information security program. Now, some things that we see pretty regularly when looking at information security programs when doing audits and things you want to watch out for as it relates to your qualified individual is understanding the difference between accountability and responsibility. Accountability is ultimately whose head is on the chopping block.
According to the FTC safeguards, that's senior management. That accountability can never be transferred. You can make somebody else responsible for the ISP.
Your qualified individual can be the responsible party, the one that's executing, the one that's doing everything, but ultimate accountability is still going to fall to senior management. So, it's very important that senior management has the correct responsible party so that their rear ends are appropriately covered. Another big issue that we see is not providing appropriate resources.
A lot of times this is approached as a set it and forget it. We've named an individual, and that's basically all we're doing. It's very important that that individual has the time to devote to these requirements, which is the one that we see with the biggest deficit.
Many qualified individuals are identified, but then they aren't given the time with all of their other responsibilities to actually be able to develop, implement, and appropriately manage and improve the information security program. They need the time to be able to do this. They also need appropriate resources, whether that's money for different security tools, whether that's time from other departments and personnel.
Whatever that looks like, they need to have the time and the resources to be able to manage the information security program. Another big one that we see is, and it all relates, but assuming that the IT department or the managed service provider that the organization uses fully handles all of these requirements. They do not, and they can't.
IT and MSP can definitely help manage the technical aspects. They can help with a lot of the auditing. They can help with a lot of the heavy lifting with the information security program, but ultimately the reporting, the responsibility, the accountability is all with senior management and the core requirements, the KPIs, the metrics that the ISP needs to hit is all going to be dictated by senior management.
So what are some ways that you can make this a lot easier? It doesn't need to be complicated. It doesn't need to be super resource intensive. It can actually be easy.
Some easy ways to do that are to hire a CISO, Chief Information Security Officer, or where budgets are limited, resources are limited, hiring a virtual CISO. That can come in on a contract basis, maybe on a retainer basis, and help get everything in line so that the organization can manage the ISP themselves. Another way is, once you have everything set up, is schedule quarterly business reviews and bring in the qualified individual to sit down with IT, with senior management, HR, all of the other department heads and just quickly review what's been done, what are outstanding issues, what are needs, and this helps make sure that all the departments and senior management understand the requirements and needs of the ISP.
What can also make things very easy is utilizing our own written information security program. It's got all of the different steps in here to meet all of the FTC safeguards rule requirements, and even within the very first part, quickly identifies who the information security program director is and who is the accountable party that oversees them. In addition, it quickly identifies all of the different requirements for that individual.
So you don't need to go through creating the policies, the procedures, it's basically a compliance paint by numbers. Those are some very easy ways to quickly manage all of these requirements related to designating your qualified individual. As we work to wrap things up today, I would love to hear some comments, get some feedback from everybody listening, and specifically, some things I'd love to hear about are what are some of the specific challenges that you're facing with safeguarding your customer information, and what are some specific challenges that you're facing with complying with the FTC safeguards rule? What's unclear? What's difficult? What seems like a contradiction to managing the business? Some other things we'd love to hear is some great success stories.
What have you done in your organization that has made complying with the FTC safeguards easy? Easier to manage, easy to implement. And also, what tools and frameworks have you used that have also made this easier? Put those in the comments, and when you're there, if you liked all of our information, if you liked today's episode, click that like, click that subscribe. We always love to hear from you and love to have more people on the team.
So, as we finally close out, some additional resources that you can use is, we'll have a lot of these in our additional resource section of our podcast description, but we have our FTC safeguards rule checklist for compliance. Definitely download that, and you can check off each of these as you listen to each of the different podcasts that will hit on each of these items. We also have some linked blogs that go into further detail about what we talked about today and what we will talk about in the future episodes.
We also have our e-book listed in there, which talks about how to comply with all of the FTC safeguards rule requirements. And finally, we're always happy to partner in a consultation to do a deep dive in your business, see how we can help, how we can get you in the right direction, and if you're really wanting to make this super easy and turnkey, you can always use our FTC safeguards rule WISP, which has all of the policies, the procedures, everything you need to be FTC safeguards rule compliant. Thank you very much for listening to us today on Cash in the Cyber Sheets.
Can't wait to have you again next week. Thank you, and goodbye for now.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.