What is a FTC Safeguards Risk Assessment?
A risk assessment is the process of identifying and assessing the risks to customer information in your possession. It involves reviewing the types of customer information you collect, how you collect it, how you use it, how you store it, and how you dispose of it. The goal of a risk assessment is to identify the vulnerabilities in your information security program and to develop appropriate safeguards to protect customer information.
“While acknowledging there will be some cost to conducting a risk assessment, the Commission believes a properly conducted risk assessment is an essential part of a financial institution’s information security program. The entire Safeguards Rule, both as it currently exists and as amended, requires that the information security program be based on a risk assessment.” – federalregister.gov
Tips for Conducting a Risk Assessment
Conducting a risk assessment can be a complex process, but there are some key steps you can take to ensure that you’re doing it effectively:
- Identify the types of customer information you collect: The first step in conducting a risk assessment is to identify the types of customer information you collect. This may include names, addresses, social security numbers, credit card numbers, and other sensitive information.
- Identify how you collect customer information: Once you’ve identified the types of customer information you collect, you need to identify how you collect it. This may include online forms, paper forms, in-person transactions, and other methods.
- Identify how you use customer information: You also need to identify how you use customer information. This may include processing transactions, marketing, customer service, and other purposes.
- Identify how you store customer information: Once you’ve identified how you use customer information, you need to identify how you store it. This may include electronic storage, paper files, and other methods.
- Identify how you dispose of customer information: Finally, you need to identify how you dispose of customer information. This may include shredding paper files, securely deleting electronic files, and other methods.
- Assess the risks: Once you’ve identified the types of customer information you collect, how you collect it, how you use it, how you store it, and how you dispose of it, you need to assess the risks to that information. This may involve reviewing your information security policies and procedures, assessing your physical security measures, and evaluating your technology safeguards.
- Develop appropriate safeguards: Based on the results of your risk assessment, you need to develop appropriate safeguards to protect customer information. This may involve developing administrative, technical, and physical safeguards, such as access controls, encryption, and security cameras.
Benefits of Conducting a Risk Assessment
Conducting a risk assessment has several benefits for your business, including:
- Protecting customer information: By conducting a risk assessment and implementing appropriate safeguards, you can protect your customers’ personal information from unauthorized access, use, or disclosure.
- Complying with regulations: The FTC Safeguards Rule requires businesses to conduct risk assessments and implement appropriate safeguards. By conducting a risk assessment, you can ensure that you’re in compliance with these regulations.
- Reducing the risk of data breaches: Data breaches can be costly for businesses, both in terms of financial losses and damage to reputation. By conducting a risk assessment and implementing appropriate safeguards, you can reduce the risk of data breaches and minimize the impact if one does occur.
- Improving customer trust: Customers are more likely to do business with companies that take their privacy and security seriously. By conducting a risk assessment and implementing appropriate safeguards, you can improve customer trust and loyalty.
Hiring a Certified Safeguards Technology Provider
Conducting a risk assessment can be a complex process, and many businesses may not have the expertise, and hiring a Certified Safeguards Technology Provider, is a simple way to ensure compliance and to take the stress of getting this completed off your plate.
Compliance Made Easy: FTC Safeguards Rule Checklist for Accountants
You can download it here for the full guide (this is only one section of the guide)
- Criteria for the evaluation and categorization of identified security risks or threats you face
__________________________________________________________________________________________________________________________________________________________________________________________________________________ - Assessing Confidentiality, Integrity, and Availability of Information.
- Adequacy of Existing Controls
- __________________________________________________
- How will identified risks be mitigated or accepted & how they will be addressed.
__________________________________________________________________________________________________________________________________________________________________________________________________________________ - How will you evaluate and adjust your plan in light of results & material changes?
__________________________________________________________________________________________________________________________________________________________________________________________________________________
Types of Information Collected:
- Social Security numbers of the taxpayer and their dependents
- Dates of birth of the taxpayer and their dependents
- Wages and salary information
- Investment income and gains/losses
- Information related to rental properties and real estate investments
- Bank account and routing numbers for direct deposit of refunds or payments
- Credit card and loan information
- Business income and expense information
- Contact information not publicly available like email and phone numbers.
- Health care information for tax credits and deductions.
Risk Assessment (Based on AICPA SOC2 Framework)
- Define your Business Objectives
- Security: To protect the confidentiality, integrity, and availability of our clients’ data, as well as our own data, through the implementation of appropriate security controls and measures.
- Availability: To ensure that our systems and services are available to our clients as needed, by minimizing the risk of unplanned downtime and implementing appropriate disaster recovery and business continuity plans.
- Processing Integrity: To process transactions accurately and completely, in accordance with our clients’ expectations and industry standards, by implementing appropriate controls and measures.
- Confidentiality: To maintain the confidentiality of our clients’ data, as well as our own data, by ensuring that access to this data is restricted to authorized personnel only, and by implementing appropriate encryption and access controls.
- Privacy: To protect the privacy of our clients’ data, as well as our own data, by implementing appropriate privacy policies and procedures, and by complying with all applicable privacy laws and regulations.
These business objectives will guide our organization in implementing appropriate controls and measures to achieve SOC 2 compliance, and in continuously monitoring and improving our security, availability, processing integrity, confidentiality, and privacy practices. By achieving SOC 2 compliance, we will demonstrate our commitment to the security, availability, processing integrity, confidentiality, and privacy of our clients’ data and our own data, and provide assurance to our clients and stakeholders that we have implemented appropriate controls and measures to protect their information.
- Identify In-Scope Systems
- Customer Management System: This system is used to manage customer information, including personal information and financial data. The system is used by authorized personnel to input, access, and manage customer data.
- Financial Management System: This system is used to manage financial data, including billing, accounts receivable, and accounts payable. The system is used by authorized personnel to input, access, and manage financial data.
- Human Resources Management System: This system is used to manage employee data, including personal information and payroll data. The system is used by authorized personnel to input, access, and manage employee data.
- IT Infrastructure: This includes all hardware and software components used to support our business operations, including servers, network devices, and services. The IT infrastructure is used to host and process customer data, financial data, and employee data.
These in-scope systems will be subject to our SOC 2 audit and will be evaluated against the applicable Trust Services Criteria. By identifying our in-scope systems, we can ensure that we are focusing our SOC 2 efforts on the most critical systems and data, and can provide assurance to our clients and stakeholders that we have implemented appropriate controls and measures to protect their information. Additionally, we will continuously monitor and evaluate our in-scope systems to ensure that they remain secure, available, and compliant with our business objectives and SOC 2 requirements.
- Perform Risk Analysis
The following risk analysis has been performed to identify potential risks to the confidentiality, integrity, and availability of our clients’ data, as well as our own data:
- Threats: We have identified potential threats to our systems and data, including hacking, malware, phishing, insider threats, and natural disasters.
- Vulnerabilities: We have identified potential vulnerabilities in our systems and processes, including outdated software, weak passwords, lack of encryption, and inadequate access controls.
- Likelihood: We have assessed the likelihood of these threats and vulnerabilities occurring, based on historical data, industry trends, and expert opinions.
- Impact: We have assessed the potential impact of these threats and vulnerabilities on our business operations, including financial loss, reputational damage, and legal liability.
- Risk Rating: We have assigned a risk rating to each potential risk, based on the likelihood and impact assessments, and have prioritized these risks based on their risk rating.
- Controls: We have identified existing controls and measures that mitigate these risks, and have identified additional controls and measures that we can implement to further reduce our risk exposure.
- Document Risk Responses
Risk Responses
- Risk: Unauthorized access to customer data. This could result in the exposure of sensitive information, loss of data, and damage to the company’s reputation.
- Response: To mitigate the risk of unauthorized access to customer data, the company will implement strong access controls, such as password policies, multi-factor authentication, and role-based access. In addition, regular security training will be provided to all employees to ensure they are aware of the risks and the proper security procedures.
- Risk: Network outage or system failure. This could result in downtime for critical systems, loss of revenue, and damage to the company’s reputation.
- Response: To mitigate the risk of network outages or system failures, the company will implement a redundant network architecture, backup and disaster recovery procedures, and regular testing of these procedures to ensure they are effective. In addition, the company will maintain a service level agreement (SLA) with its customers, which includes guarantees for uptime and availability.
- Risk: Inadequate physical security. This could result in the theft of hardware, loss of data, and damage to the company’s reputation.
- Response: To mitigate the risk of inadequate physical security, the company will implement strict access controls to its data centers and offices, including biometric identification and surveillance systems. In addition, all hardware will be secured with locks and alarms to prevent theft or unauthorized access.
- Risk: Human error or malicious behavior. This could result in the accidental or intentional deletion, modification, or disclosure of sensitive data.
- Response: To mitigate the risk of human error or malicious behavior, the company will implement strict access controls, regular security training for all employees, and monitoring and logging of all user activity. In addition, the company will conduct regular security audits and penetration testing to identify and address vulnerabilities in its systems.
Data Storage Checklist
List anywhere that contains PII. Examples Include but are not limited to:
Tax Software(s) ___________________________________________________
Bookkeeping Software(s) ____________________________________________
Payroll Software(s) _________________________________________________
3rd Party Apps: ___________________________________________________
Provider(s): _________________________________________________
Data Storage(s): ___________________________________________________
Email Provider(s): _________________________________________________
CRM(s) _________________________________________________________
Social Media: _____________________________________________________
All Contractors: ___________________________________________________
| Employee(s) | Computer Name(s) |
Policy & Procedure to Assess contractors / vendors / software providers
- Introduction
Our accounting firm relies on third-party contractors, vendors, and software providers to provide us with products and services that are essential to our business operations. However, the use of these third parties also introduces potential risks to our clients’ data and our overall security posture. This risk assessment policy and procedure is designed to help us assess and manage the risks associated with our third-party relationships. - Scope
This risk assessment policy and procedure applies to all third-party contractors, vendors, and software providers who have access to our clients’ data or who provide us with products or services that are essential to our business operations. - Risk Assessment Criteria
The following criteria will be used to assess the risks associated with our third-party relationships: - Sensitivity of Data: The sensitivity of the data that the third party will have access to or handle.
- Business Impact: The potential impact on our business operations if the third party experiences an outage or other business interruption.
Security Posture: The third party’s security posture and ability to protect our clients’ data. - Compliance: The third party’s compliance with all applicable regulations and standards, including but not limited to: FTC, GLBA, GDPR, and SOC 2.
Contractual Terms: The terms of the contract with the third party, including but not limited to: liability, indemnification, and termination. - Risk Assessment Process
The following process will be used to assess the risks associated with our third-party relationships: - Identify Third Parties: We will identify all third-party contractors, vendors, and software providers who have access to our clients’ data or who provide us with products or services that are essential to our business operations.
- Gather Information: We will gather information about each third party, including but not limited to: the sensitivity of the data they will have access to or handle, their security posture, and their compliance with applicable regulations and standards.
- Assess Risks: We will assess the risks associated with each third-party relationship based on the criteria outlined in this policy.
- Mitigate Risks: We will work with each third party to mitigate any risks identified during the assessment process. This may include, but is not limited to: requiring them to implement additional security measures or renegotiating contractual terms.
- Monitor Risks: We will monitor the risks associated with our third-party relationships on an ongoing basis to ensure that they continue to be mitigated effectively.
- Reporting Incidents
Any incidents related to a third-party contractor, vendor, or software provider must be reported to the IT department as soon as possible. This includes incidents related to security, compliance, or contractual terms. - Compliance
Failure to comply with this risk assessment policy and procedure may result in disciplinary action, up to and including termination of employment. - Conclusion
Our accounting firm recognizes the importance of assessing and managing the risks associated with our third-party relationships. By following this risk assessment policy and procedure, we can ensure that we work with third parties who meet our security and compliance requirements, and who are committed to maintaining the same level of security and compliance that we require.
Policy & Procedure to Handle Change in Management
- Introduction
- Our organization recognizes that change in management can have significant impacts on our operations, employees, and stakeholders. This policy and procedure is designed to ensure that any changes in management are handled in a transparent, fair, and orderly manner that minimizes disruption to our business and employees.
- Scope
- This policy and procedure applies to any change in management within our organization, including but not limited to: promotions, transfers, retirements, resignations, terminations, or any other circumstance that results in a change in management.
- Communication
- A clear communication plan will be developed and implemented to inform all employees and stakeholders of the upcoming changes in management. The communication plan will include the following:
- A timeline for the transition
- The names of the new managers or leaders
- The roles and responsibilities of the new managers or leaders
- The reasons for the change in management
- The impact of the change in management on employees and stakeholders
- Any necessary training or support for employees
- A clear communication plan will be developed and implemented to inform all employees and stakeholders of the upcoming changes in management. The communication plan will include the following:
- Succession Planning
- Succession planning is critical to ensure a smooth transition in the event of a change in management. The following steps will be taken to ensure that succession planning is in place:
- The outgoing manager will work with the incoming manager to transfer knowledge and information about the role, responsibilities, and ongoing projects.
- A comprehensive job description for the new manager will be developed and communicated to all stakeholders.
- A review of the existing talent within the organization will be conducted to identify potential candidates for the management position.
- A training and development plan will be developed for the new manager to ensure that they have the skills and knowledge necessary to succeed in their new role.
- Employee Support
- During times of change in management, it is important to provide support to employees to help them cope with any potential stress or anxiety that may arise. The following steps will be taken to support employees:
- Regular communication and updates will be provided to employees regarding the change in management and how it impacts them.
- Opportunities for employees to provide feedback or ask questions will be provided.
- Counseling or other support services will be made available to employees who are experiencing difficulty adjusting to the change.
- During times of change in management, it is important to provide support to employees to help them cope with any potential stress or anxiety that may arise. The following steps will be taken to support employees:
- Compliance
- All changes in management will be handled in compliance with all applicable laws, regulations, and company policies.
- Conclusion
- Our organization recognizes that change in management can be difficult, but by following this policy and procedure, we can ensure that any changes are handled in a transparent, fair, and orderly manner that minimizes disruption to our business and employees.
Date to re-assess contractors / vendors / software providers ___________
- Criteria for Security
- Antivirus: ___________________________________________
- Anti-Phishing Toolbar: _________________________________
- Firewall: ____________________________________________
- Remote Management & Monitoring: ______________________
- Encryption
- Encryption At Rest Method: _______________________
- Encryption in Transit Method: ______________________
- Intrusion Detection Software: ___________________________
- VPN: ______________________________________________
- 2 Factor Authentication: _______________________________
- Endpoint Detection Response Software: __________________
- Backup Software: ____________________________________
- Patch Management ___________________________________
- Note: Windows does NOT have a built in patch management
- 3rd Party Patch Management: _____________________________
- Criteria For Confidentiality
- Access controls:
- Implement access controls to limit access to confidential information to only authorized personnel
- Use strong passwords and two-factor authentication to prevent unauthorized access
- Regularly review access privileges to ensure they are still necessary and appropriate
- Log all access attempts and regularly review logs for suspicious activity
- Train employees on proper use and protection of confidential information.
- Encryption:
- Use encryption to protect sensitive data both in transit and at rest
- Encrypt all files and data containing confidential information
- Ensure that all email communications containing confidential information are encrypted
- Use secure communication channels such as VPNs when transmitting data over public networks
- Train employees on proper use and management of encryption tools.
- Employee training:
- Provide regular training to employees on best practices for handling confidential information
- Train employees on how to identify and report suspicious activity
- Implement policies and procedures for handling confidential information and ensure all employees are aware of them
- Test employee knowledge of policies and procedures through regular assessments
- Encourage a culture of confidentiality and accountability within the organization.
- Physical security:
- Implement physical access controls to limit access to areas containing confidential information
- Use surveillance cameras and monitoring systems to deter and detect unauthorized access
- Secure all storage areas containing confidential information with locks or other security measures
- Properly dispose of physical documents and media containing confidential information to prevent unauthorized access
- Train employees on proper physical security measures and enforce policies and procedures.
- Incident response:
- Procedure for identifying breach
- Regular monitoring of systems and networks for suspicious activity or unusual behavior
- Implementing intrusion detection systems and other security tools to detect potential threats
- Regularly reviewing logs and other records for signs of unauthorized access or data exfiltration
- Training employees on how to identify and report potential incidents or breaches
- Upon identifying a potential incident or breach, the following steps will be taken to assess the situation:
- Gathering information on the incident, including the type of data involved, the extent of the breach, and the potential impact on clients and employees
- Determining the cause of the incident, including whether it was the result of a cyber-attack, human error, or other factors
- Assessing the potential impact on our operations, clients, and employees
- Incident Response
- Implementing containment measures to prevent further damage or data loss
- Identifying the individuals or parties affected by the breach and notifying them in a timely manner
- Coordinating with law enforcement, if necessary
- Conducting a thorough investigation to determine the root cause of the incident and identifying any additional security measures that may be necessary to prevent future incidents
- Updating incident response plans and procedures as needed
- Reporting
- All incidents or potential breaches will be promptly reported to senior management, who will determine whether to notify external stakeholders, such as regulatory bodies or clients, as required by law or company policy.
- Procedure for identifying breach
- Procedure for containing breach
- Immediately disconnecting affected systems or networks from the internet or other external networks to prevent further damage or data loss
- Implementing additional security measures, such as firewalls or access controls, to prevent unauthorized access to sensitive data
- Identifying the individuals or parties affected by the breach and notifying them in a timely manner
- Conducting a thorough investigation to determine the root cause of the incident and identifying any additional security measures that may be necessary to prevent future incidents
- Updating incident response plans and procedures as needed
- Access controls:
- Criteria For Integrity
- Backup _________________________
- Note: Storage like Google Drive, Sharepoint, and Dropbox are NOT backup, they are storage.
- Version Control Policy
- Documents will be stored in a central location, with access restricted to authorized staff
- All changes to documents must be tracked and documented using a change log or similar record
- Whenever a new version of a document is created, it will be labeled with a unique version number and date automatically by the software
- All staff will be instructed to use the latest version of each document in all activities
- Audit Trails Policy
- Our organization maintains audit trails to monitor all activities related to cyber security.
- All audit trails will include sufficient detail to enable reconstruction of events, and will be retained for a period of no more than 2 years.
- Access to audit trails will be restricted to authorized personnel & vendors and will be regularly monitored for suspicious activity.
- Access Control Policy
- Only authorized personnel can access our systems and data.
- Access will be granted on a need-to-know basis, with permissions regularly reviewed and updated per policy.
- Any unauthorized access attempts will be logged and investigated.
- Backup _________________________
- Criteria For Evaluating Risks and Threats
- Likelihood: How likely is the risk or threat to occur, based on historical data, industry trends, or other factors?
- Impact: What would be the consequences of the risk or threat, such as financial loss, reputational damage, or legal liability?
- Vulnerability: How vulnerable are the systems or processes that could be affected by the risk or threat, and how easy would it be to exploit these vulnerabilities?
- Severity: What is the severity of the potential harm that could be caused by the risk or threat, and how would this harm be classified (e.g. minor, moderate, or major)?
- Mitigation: What measures are currently in place to mitigate the risk or threat, and how effective are these measures?
- Detection: How easily could the risk or threat be detected, and what systems or processes are in place to monitor for potential incidents?
- Recovery: How quickly could the organization recover from the risk or threat, and what resources or contingency plans are in place to support this recovery process?
- How can information be misused, altered, or destroyed?
- Unauthorized access: Information can be misused if someone gains access to it without authorization, either through hacking, social engineering, or other means.
- Malware: Malicious software can be used to alter or destroy information on a system, or to exfiltrate sensitive data to unauthorized parties.
- Insider threats: Employees or contractors with authorized access to information can misuse it for personal gain or to harm the organization.
- Physical theft: Physical theft of devices or documents containing sensitive information can result in loss or exposure of this information.
- Human error: Accidental mistakes or omissions by employees can lead to unintentional alteration or destruction of information.
- Natural disasters: Natural disasters such as floods, fires, or earthquakes can damage or destroy physical devices or systems containing information.
- Cyber attacks: Deliberate cyber attacks such as denial of service attacks, ransomware, or phishing attempts can disrupt or compromise systems and data, leading to loss, alteration, or destruction of information.
- When will your periodic reassessment be conducted?
- Date: ____________________________________
- Date: ____________________________________
- Who has access to your customers’ PII & Do They Have a LEGITIMATE Business Need for Access?
- Employees: (List All)
- __________________ Yes / No
- Contractors (List All)
- __________________ Yes / No
- Sharing in Physical Storage Locations (List All)
- __________________ Yes / No
- Storage: (List All)
- __________________ Yes / No
- Physical Storage Potential Threats:
- Employees
- Clients
- Cleaners
- Landlords
- Visitors
- Burglary
- Trash Diving
- Mail Theft
- Lost or Misplaced
- Employees: (List All)
- Events that will elicit a change/modification in ISP
- New server
- New laws
- New ownership / management
- Expansion to new area
- Incidents affecting peers in the same industry
- New vendors or contractors in use with access to PII
- Customer concerns
- Suggestion from IT provider
- Audit uncovers severe vulnerability
- User / Access Monitoring Policy
- We will implement access controls to ensure appropriate access to systems, applications, and data.
- Monitor user activity and access using various tools and techniques on a regular basis, including reviewing logs and system alerts.
- Personnel responsible for monitoring user activity and access will be trained to identify and respond to potential security threats or violations.
- In the event of a security incident or violation, reporting requirements, escalation procedures, and notification procedures will be followed.
- We will retain monitoring data for a defined period and dispose of it securely.
- This policy applies to all personnel and end-users accessing our systems, applications, and data.
- What software is used to monitor?
- ______________________
- Who is the qualified individual to carry out the monitoring?
- ______________________
Free Download of Definitive Guide to the FTC Safeguards Rule for Accountants
Click for the Full FTC Safeguards Rule guide
