‪(480) 285-8227 dave@dealercomply360.com

Information Security Program (ISP)

For [Your Dealership Name]

Purpose:
The purpose of this Information Security Program (ISP) is to protect the confidentiality, integrity, and availability of sensitive information held by [Your Dealership Name], ensure compliance with the FTC Safeguards Rule, and minimize the risk of data breaches and unauthorized access.

1. Scope

This ISP applies to all employees, contractors, and third-party vendors who handle sensitive customer or business information. It covers all data collected, stored, transmitted, or processed in electronic or physical formats, including customer Non-Public Personal Information (NPI), employee data, and financial records.

2. Objectives

  1. Protect sensitive data from unauthorized access, use, or disclosure.
  2. Mitigate cybersecurity threats and vulnerabilities.
  3. Ensure compliance with legal and regulatory requirements, including the FTC Safeguards Rule.
  4. Promote a culture of security awareness and accountability.

3. Roles and Responsibilities

3.1 Program Coordinator

  • The Compliance Officer is designated as the Program Coordinator responsible for overseeing the ISP.
  • Responsibilities include:
    • Conducting risk assessments.
    • Ensuring employee training.
    • Monitoring program effectiveness and reporting to senior management.

3.2 Employees

  • All employees are responsible for following security policies and procedures and reporting security incidents.

3.3 IT Department

  • Maintain secure systems and implement technical safeguards.
  • Respond to cybersecurity incidents and ensure system updates and patches are applied.

3.4 Vendors and Service Providers

  • Comply with dealership security policies and safeguard sensitive data provided to them.

4. Risk Assessment

  • Conduct an annual risk assessment to identify internal and external threats to sensitive data.
  • Evaluate potential risks, including:
    • Phishing and social engineering attacks.
    • Malware and ransomware threats.
    • Physical theft or loss of devices.
    • Insider threats (intentional or accidental).

5. Safeguards

5.1 Administrative Safeguards

  • Access Control:
    • Grant data access only to employees who need it for their job responsibilities.
  • Policies and Procedures:
    • Implement written policies for data protection, acceptable use, and incident response.
  • Employee Training:
    • Conduct regular cybersecurity awareness training on:
      • Identifying phishing attempts.
      • Proper handling of sensitive data.
      • Reporting potential threats or incidents.

5.2 Technical Safeguards

  • Encryption:
    • Encrypt sensitive data both at rest and in transit.
  • Multi-Factor Authentication (MFA):
    • Require MFA for access to critical systems and sensitive data.
  • Firewalls and Intrusion Detection:
    • Use firewalls to monitor and control network traffic.
    • Deploy intrusion detection/prevention systems to identify and mitigate threats.
  • Endpoint Security:
    • Ensure all dealership devices have up-to-date antivirus and anti-malware protection.
  • Data Backup:
    • Regularly back up sensitive data and store backups in a secure, offsite location.

5.3 Physical Safeguards

  • Secure Storage:
    • Store physical documents containing sensitive information in locked, restricted-access areas.
  • Workstation Security:
    • Enforce a clean desk policy to ensure sensitive documents are not left unattended.
  • Visitor Access:
    • Restrict physical access to sensitive areas to authorized personnel only.

6. Incident Response Plan

  • Detection and Reporting:
    • Employees must report any suspected security incidents immediately to the Program Coordinator or IT Department.
  • Containment:
    • Isolate affected systems to prevent further unauthorized access.
  • Investigation:
    • Determine the cause and scope of the incident.
  • Notification:
    • Notify affected customers, regulators, and law enforcement as required by law.
  • Post-Incident Review:
    • Document lessons learned and update security measures to prevent recurrence.

7. Vendor Management

  • Perform due diligence on third-party vendors to ensure they implement appropriate safeguards.
  • Require vendors to sign agreements acknowledging their responsibility to protect dealership data.
  • Regularly review and monitor vendor compliance.

8. Monitoring and Testing

  • Conduct periodic audits and vulnerability assessments to ensure compliance with the ISP.
  • Test the effectiveness of safeguards through:
    • Phishing simulations.
    • Penetration testing.
    • Security system performance reviews.

9. Policy Review and Updates

  • Review the ISP annually or after significant changes to operations, technology, or regulatory requirements.
  • Update the program to address new threats, vulnerabilities, and best practices.

10. Documentation and Recordkeeping

  • Maintain documentation of:
    • Risk assessments and audits.
    • Security incidents and responses.
    • Employee training records.
    • Vendor compliance agreements.
  • Retain records for at least 5 years or as required by applicable regulations.

11. Employee Acknowledgment

  • Require all employees to sign an acknowledgment confirming their understanding of the ISP and agreement to comply with its provisions.

Acknowledgment Form
I acknowledge that I have read and understand the Information Security Program and agree to adhere to its policies and procedures.

Employee Signature: ___________________________
Date: ___________________________

Manager Signature: ___________________________
Date: ___________________________

This program ensures compliance with the FTC Safeguards Rule, promotes data security, and protects sensitive customer and business information. Let me know if you’d like further customization or templates for specific sections!