(Transcribed by TurboScribe.ai. Go Unlimited to remove this message.)
I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets. Hey everybody.
Welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us as we continue our FTC Safeguards Rule Checklist for Compliance series.
It's a little bit of a mouthful, but we are doing this both on the podcast and we have all of the blog articles to go along with it. So for each of the podcast series, there is a blog article that goes into even more detail, which you can check out at inputoutput.com and in the description, we'll even have the link directly to the accompanying blog article for this podcast. So today we are actually going to go over something very near and dear to my heart, policies, procedures, and training.
Policies and procedures is one of the biggest things that we do. I don't understand why everybody hates to do it. It is honestly probably the sexiest side of information security, which I don't think has to go into too much detail.
It kind of speaks for itself. It's definitely not an area that a lot of people like to do, but again, kind of our thing. We do a lot of information security program policies, a lot of policy review.
We have our entire written information security program, basically a compliance paint by numbers, and we will be getting into that part of it today. How to take care of that for the FTC Safeguards rule. Before we jump into it, please click that subscribe, click that like anywhere you're listening to us, Apple, Spotify, YouTube, wherever it's at, follow along and would love to hear some comments and things that you would like to hear about.
And while we are getting some comments, it'd be great to get some that weren't actually spam. So that would be super. But with that said, let's go ahead and jump into it.
So we've gone through a lot of the different items in our previous podcasts in this series. We've gone through designating a qualified individual, utilizing a risk-based approach, implementing appropriate controls. We had two podcasts on that, monitoring, reviewing and testing controls.
And today is the policies, procedures and training. And before I forget, we do have, and the link will be in the podcast description, but our FTC Safeguards rule checklist. We've got that available for download, very nifty, little infographic, hard to see on the camera here, but very easy to follow along each podcast, each article, just going right down the checklist.
So that way you can make sure you're covering all of your bases with the FTC Safeguards rule and making sure that you're not leaving anything out there. So let's jump into policies, procedures and training. Now we've gone through, there's a lot of our articles online.
There's a lot of the podcasts that talk about what the FTC Safeguards rule is, who must comply with it and the core requirements, which are all on the checklist. So I'm not going to go into that. What we will start diving into is how developing our information security program, you can't have one unless you have policies and procedures.
And if we're looking at kind of an ISO, I like how they've got it structured, the plan, do, check, act structure, the policies and procedures, that's your plan. This is where it identifies everything that you're going to do, everything that's required in the organization and with the procedures, how you're going to do it. Then with your do, check and act, that's actually implementing the controls, checking the controls, your audits and then improving, doing your remediation changes with anything that you find that isn't a par or could be improved.
But the biggest thing here, the plan is those policies and procedures, making sure that we've got everything documented and that way we're also providing that to all of our employees. So let's get into implementing information security policies and procedures. This is 16 CFR section 314.4 subsection E and all the other little numbers that go after that.
Now the biggest part is that the FTC safeguards rule explicitly requires everything to be documented. That has to be in the form of a WISP, a written information security program or sometimes referred to as a written information security policy. It needs to be, however you put it, whether it's thousands of post-it notes, whatever, it needs to be a whole set of policies and procedures that goes over how you manage everything soup to nuts, how we're going to manage from the senior management level, how we're going to address identity and access management, acceptable use, cryptography, all of that needs to be in those documented procedures.
And what we also need to make sure is that it's approved by senior management, it's reviewed at least annually, and these are provided to associates, at least the bits that relate to them. Most notably, typically like the acceptable use, the remote work, teleworking, all of those requirements are going out to all of our employees so that we from the top level down are identifying here's what our plan is, here's how we're going to execute, and then all of the procedures under that are really going to fill in all of those gaps of the how. Now, without getting too deep into a shameless plug for trying to sell our products, if you want to make it easy, again, this is one of the big things that we do, the written information security program or FTC WISP, it is basically a compliance paint by numbers to where it has all of the different areas of the FTC safeguards rule addressed, they're referenced, and it makes it very easy to adapt to your organization.
So you can create them all from scratch, or you can basically use our compliance ad lib and get it done in just a few days. However you do it, though, you want to make sure that you have all of those information security program policies in place, approved by management, and that they're being attest by all of your employees. Next step, information security awareness and training.
Now our article goes quite, it goes into a lot of depth on this, there's a lot of information, I'm going to shorten it up here, but essentially what we want to have is security training, so talking about all of the different aspects that relate to our business. How do we manage users? How do we make sure that systems are secure? What not to click on? We also want to do the phishing training, which is now becoming pretty standard. What we want to make sure that we're doing as well, though, because it's becoming such a prevalent threat vector, so many companies are getting nailed by it, is also, and I hate saying all of this, I can't believe that these are the technical terms, but smishing, phishing, quishing, that sounds like such an inappropriate adult activity, and even social engineering.
So phishing is all of the email simulations, it's the things where people are trying to get you to do, click on a link or to give them information through email. Smishing is when that's done through a text message. There's also phishing, where that's done through an actual voice message, so that will call the phone, leave a voice message, try to get you to do some sort of activity or give up information.
And what's becoming even more prevalent is quishing attacks, which is QR code attacks. This is why you want to be very careful with scanning any QR codes. These are even, not getting off topic, but just stickers placed everywhere, even over parking meters and everything that just take you to phishing websites and malicious sites, so you want to be very careful with those QR codes.
What's missing a lot, however, is that type of training, and that you want to make sure that you're talking to your employees about, hey, this is out there, hey, you want to make sure not to scan these things, because this is just as bad. You also want to make sure that you're discussing training related to your organization and your relevant risk, so your industry, your company, and even what's happening in your area. You want to make sure you're keeping your employees up to date, and this can take all types of different forms.
This could be automated training modules, this could be simulated phishing exercises, this can be posters and emails, this can be all hands calls, however you push this out. You want to make sure that you're reviewing all the relevant information, up to date information, and that you can actually show that you provided the training, that people attended it, that they understood it. That needs to be in documented form, so if you're ever audited, you can show where you actually did these things.
As a quick side note, our ClickSafe Academy with input output actually provides all those different training types, so if you're having trouble finding an affordable or some other option to take care of those smishing or phishing or pushing exercises, that's definitely something that we can help with. Other things you want to do with your training program is make sure that you're continually updating. One thing that we see in a lot of our audits is when we go out, it's just the same training year after year, three, four, five years, it's never changed.
You can use, if you want to do that, you can still use a lot of the same training, but it needs to be supplemented with up-to-date information. It needs to be able to show that you're giving your employees, your management, your IT teams information that is consistent and is up-to-date. You want to also maintain awareness with security threats.
Now, with IT teams, this is normally making sure that they have access to security feeds, CISA. Other security feeds out there are great for being able to see what's new, what's happening, and to make sure that they're appropriately protecting your organization. For management, this is typically looking at it from a more holistic side, and from employees, that's typically looking at it more what's affecting employees or how are they getting attacked.
And a lot of that goes to some of those different types of phishing and pushing exercises, which are becoming much more prevalent. As far as policies, procedures, and trainings go, that's really the high-level overview for the FTC safeguards. It feels a little disingenuous to almost stop here because there is so much to go over about policies.
We have a lot of blogs on it. We have a lot of different podcasts on it. And obviously, always happy to connect about digging into the policies and procedures.
But as the FTC safeguards is concerned, as far as making sure you take care of that checklist, you want to make sure that your policies and procedures are related to your risk, that it's based on your risk-based approach, that it's approved by senior leadership, that it's pushed out to all employees and reviewed and updated annually, and then doing the same with your training, that all employees are trained appropriate to their role, appropriate to the risk of your organization, and that it stays relevant to what's happening in the industry and that would affect your organization. With that said, that is our topic today for policies, procedures, and training for the FTC Safeguards Rule Checklist for Compliance. Don't forget to download the infographic so that way you can follow along and make sure that you're covering all of your bases with the FTC Safeguards Rule.
Check out all of the blog article descriptions to make sure that you're covering all of the bases. And we can't wait to see you next time. Stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets.
Goodbye for now.
(Transcribed by TurboScribe.ai. Go Unlimited to remove this message.)
