Loading...
background

FTC Safeguards

2025-03-18
By Not Exists
FTC Safeguards

FTC Safeguards

FTC Safeguards Rule is a regulation under the Gramm-Leach-Bliley Act (GLBA) designed to ensure that financial institutions protect consumer data through comprehensive security measures. The rule requires covered entities to develop, implement, and maintain a written information security program tailored to the company’s size, complexity, and the nature of collected consumer information. Key requirements include conducting risk assessments, implementing access controls, encrypting sensitive data, regularly testing security measures, and ensuring third-party service providers maintain adequate safeguards.

Controls:
Information Security Program - ISP

Establish and maintain a written information security program.

  • ISP.1 - Written Security Program

    Develop and document a comprehensive written information security program.

Risk Assessment - RA

Conduct a written risk assessment to identify and assess potential threats and vulnerabilities.

  • RA.1 - Identify Foreseeable Risks

    Identify and document foreseeable internal and external risks to the security

  • RA.2 - Periodic Reassessment

    Periodically reassess risks in light of changes to operations or new threats.

Safeguards Implementation - SI

Implement specific safeguards to control the risks identified.

  • SI.1 - Access Controls

    Implement and periodically review access controls to determine who has access to customer information.

  • SI.2 - Data Inventory and Classification

    Conduct a periodic inventory of data

  • SI.3 - Encryption

    Encrypt customer information on your system and when it's in transit.

  • SI.4 - Application Security

    Implement procedures for evaluating the security of apps that store

  • SI.5 - Multi-Factor Authentication

    Implement multi-factor authentication for anyone accessing customer information on your system.

  • SI.6 - Secure Disposal

    Securely dispose of customer information no later than two years after your last use.

  • SI.7 - Change Management

    Anticipate and evaluate changes to your information system or network.

  • SI.8 - Monitoring and Testing

    Maintain a log of authorized users' activity and monitor for unauthorized access; regularly monitor and test the effectiveness of your safeguards.

Oversight by a Qualified Individual - QI

Designate a qualified individual responsible for overseeing and implementing the information security program.

  • QI.1 - Designated Individual

    Designate a qualified individual to oversee the development

Service Provider Oversight - SPO

Take steps to ensure that service providers also maintain appropriate safeguards for customer information.

  • SPO.1 - Due Diligence and Contracts

    Select service providers capable of maintaining appropriate safeguards and include relevant security obligations in contracts.

Information Security Program Adjustments - ISPA

Regularly evaluate and adjust the information security program.

  • ISPA.1 - Annual Evaluation

    At least annually

Incident Response Plan - IRP

Develop and maintain a written incident response plan.

  • IRP.1 - Written Incident Response Plan

    Develop and document a written incident response plan to address security events.