Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today as we continue our episodes, our series, on the FTC Safeguard Rule Checklist for Compliance. We've gone through a few of the different checklist items, which is all on our handy little infographic. There we go. It's in focus, but not readable. All on the infographic, and we've gone through designating a qualified individual. We've gone through a risk-based approach development and last time we talked about implementing appropriate controls.
There is a lot in that one. So this episode, I'd like to dive a little bit more into implementing the appropriate controls and some of the very specific requirements in the FTC Safeguards Rule. So that way we can make sure that you're hitting everything, getting everything addressed, and hopefully make it a little bit more clear and understandable.
Before we get into that, please click that like, click that subscribe, follow us wherever you're listening to us, whether it be Apple, Spotify, YouTube. We'd love to hear from you. Please click that follow.
And with that said, let's go ahead and jump into it. So if you haven't yet, and in the description for the podcast, there will be the link for the checklist, the FTC Safeguards Rule Checklist for Compliance. It is a handy little infographic. It is a checklist, so aptly named and makes it very easy to go through this series and also just a real quick review if you have everything in place you need for the FTC Safeguards Rule. Now, today I'm not going to get into exactly what the rule is, who needs to comply with it. We've done that in a lot of the other episodes. So just scroll back a little bit, click on some of those, and it will give all that information. We'll also have a full companion article for today, and it also has links to a lot of the FTC Safeguards Rule information as well as a little bit of a synopsis in the blog post itself.
But today what we're going to do is actually dive into that section, 16 CFR section 314.4 subsection C, and then there's like one through, I think it's nine. Is it nine? Eight. Maybe it's eight. We'll go through each of those though and make sure that we're addressing those.
So, as we talked about in our last episode, implementing appropriate controls, this is really a lot of where the rubber meets the road. It's a lot of the more technical side of things. And when people think of cybersecurity, when they think of implementing security, this is a lot of what they're thinking of, the access controls, MFA, yada, yada, those tangible kind of technical things.
That's what we're getting into today. So, our detailed review of the required controls, starting out at number one is access controls. Every single information security program needs to manage access.
This takes on tons of forms. There's tons of ways that you can do this. But at a high level, what you want to make sure you're addressing is that the right people have access and that no one else does have access.
So, looking at adopting principles of least privilege, only giving access to the areas and to the people that have to have it for that job and for those particular transactions. Also, looking at systems like role-based access control to be able to make it easy to manage that least privilege. And as part of this, you also want to make sure that you're conducting audits. Periodic audits. Do the right people have access? Have we shut off access to people that have left? And are we managing this effectively? A good onboarding, off-boarding process. There is plenty of other articles that we've done, a lot of other podcasts that really get into that IAM, the identity and access management. All the different principles, all the different ways you can manage it. But really at its core, what you're looking at is least privilege. Only people that need it have access. Everyone else doesn't. That sums it up.
The next part, identity and managing assets. So this overlaps with the access management but it's also getting into the actual assets.
Which of your assets, systems, servers, people are critical? Which ones have potential vulnerabilities? Where do you have those things that could go sideways? And are you properly addressing those? What you want to make sure is that you're tying this to your risk process. We talked about that in the other episodes. But making sure that those vulnerabilities that you're identifying that impact, scale, where you're seeing the biggest risk, that those are being properly addressed and tightened up, closed up, and taken care of.
Next part, and this goes a lot into the asset management but is data encryption and alternative controls. So what this means is as much as you can, you want to encrypt everything. And I'll say a caveat with that. Make sure you check with your development teams and what's appropriate because definitely within software and development tools, more encryption means typically less productivity and speed. More processing power needed. But for the most part, you want all of your data at rest encrypted.
Typically with a strong encryption cipher, AES-256. And you want everything in transit being encrypted. Typically with TLS 1.2 or higher.
A lot of times that's managed when you're doing like an HTTPS connection. But you want to make sure that those are properly applied. And you want to make sure that your encryption is properly protected, more specifically, the encryption keys. So that goes back to the access management, the least privilege. But making sure that the encryption keys are only with authorized personnel and that not every system can basically decrypt your data. Because that would be the point.
Now the alternative controls, that just goes to in some cases you can't do full encryption, and when that's the case, you want to identify the reason why, and what perhaps other controls or processes that you have in place to mitigate that risk.
So maybe we can't encrypt this laptop. But we're only going to keep it in a secure room. And it's not going to connect to the internet. Things like that.
Next one is secure development practices. So this really goes to if you're creating any applications, creating any code, reviewing any code that you're adhering typically to like an SDLC, a secure development life cycle or using OWASP guidelines. That's probably not an 'or' statement that's probably an 'and' statement and using OWASP guidelines. But overall, you have a secure development process that is identifying vulnerabilities. That is managing changes appropriately. That is performing pin tests, vulnerability assessments, and at the end of the day is tightening up those risks and making sure that you've got good identity management, good encryption and good access controls all built into that software solution.
The next one, 314.4c5 is multi-factor authentication. This is a big one. Insurance companies, everybody is looking at this. It's its own subsection in the FTC safeguards rule. But. No but. You want to make sure you have MFA, Multi-factor authentication. We have on our site some good references and infographics for common pitfalls and some other blog posts about it. Because you want to make sure that when setting up MFA that one, you don't make it too difficult for users and yourself to get in, because they're going to get annoyed and then start finding ways around it and you also want to make sure that you don't accidentally lock yourself out if you lose your MFA key or token. So making sure that MFA is on practically every system. And where it can't be like the encryption, having those alternative controls and those risk assessments to show why you couldn't do it and what you're doing to mitigate that risk.
Rounding out number six, data retention and disposal policies. So, part of every good information security program is making sure you identify your retention requirements. How long do you need to retain data? And this is going to rely on your contractual requirements. What have you agreed to with your clients and vendors, and your regulatory requirements. Legally, what do you have to do? Say on the HIPAA side, that's six years since last use. For certain tax records, that's seven to ten years. So on and so forth. You actually want to document that. We do have in our policies and procedures a very easy way to document all of that. And go through it. But that should be documented.
And then when you're destroying data. When you're destroying assets. You want to have a structured way to do that so that all of the data is appropriately cleaned off and inaccessible to unauthorized parties. That could be looking at shredding, that could be looking at what's known as cryptographically shredding, so getting rid of the encryption keys. In a lot of cases, that's just pulling the hard drive out of a system and actually destroying it. Any way that you do, you want to have a structured process and you want to be able to document what you've done and when you did it.
Next is a change management process, change management procedures. We want to make sure that we're keeping changes under control. So we're not having scope creep. We're not having information tech sprawl. That we're not introducing systems that are then introducing new vulnerabilities or potential new layers of access. We want to make sure that we know what's going on in our environments and that we're maintaining that appropriately so that we can roll things back if we need to. We can address new risks and we can make sure that we're keeping things as secure as possible.
Number eight, monitoring and activity logging. Want to make sure that we're doing detailed logging. So that's on all of our systems, on our routers, on firewalls. All of our devices should be maintaining logs so that way we can review those to see is there anything that shouldn't be happening? Is there anybody in the systems that shouldn't be? And God forbid we have a data breach, we can go back to see exactly what was accessed and what wasn't accessed. And we've talked about it before. But it's very, very important to be able to show what was and what wasn't accessed during a data breach with documented evidence like logs. So that way you can reduce how much notifications that you need to do and how much legal reporting you would be required to do.
In here, and I feel like they should make this a complete separate one. But it's also about having good incident response procedures. A whole incident response program. Very weird that that slid in right there but it's actually its own FTC safeguards checklist item. So I think that's one of the reasons why that split up that way. And that is all of the specific items in the implementing appropriate controls section of the FTC safeguards rule.
So again, to recap, that's good access controls, identity and managing assets, data encryption and alternative controls where you can't have the encryption, secure development practices, multi-factor authentication, data retention and disposal, change management procedures, and monitoring and activity logging.
Again, you can download the entire checklist right from our website. That link will be in the description of this podcast and we'll have a link to the article that goes with this that has all of this information in much more detail and a lot of nifty, easy to access links to other areas of FTC and other more in-depth areas. Of course, if you ever have any questions or are having trouble, please don't hesitate to reach out to us. We'd love to hear what's working for you, what's not working, and how we can help. So thank you for listening today and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
