GNYADA 2019 Membership Directory & Services Guide

Know where sensitive customer information is stored and store it securely. Know its life cycle throughout your organization. Make sure only authorized employees have access. For example: • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods. • Store physical records in a room or cabinet that is locked when unattended. • When customer information is stored on a server or other computer, ensure that the computer is accessible only with a“strong”password and is kept in a physically-secure area. • Place customer information on a separate secure server or in a secure cloud-based server. Limit permissions and require additional access requirements (two-factor authentication) such as a randomly generated token number and an additional password to be able to access the server. • Where possible, avoid storing sensitive customer data on a computer with an Internet connection. It is a good practice to provide “read only”access to customer information and disable the ability to download customer information onto third-party devices (USBs, external hard drives, etc.). • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area. • Maintain a careful inventory of your company’s computers, servers, and any other equipment on which customer information may be stored. • Monitor employees accessing customer information in both paper and electronic format. You should review the monitoring regularly to detect any unusual spikes in activity and quickly find out the reason. • Get a static IP address from your Internet Service Provider. This will keep your IP address from changing and enable sites like Dealertrack to only accept requests for customer information from your trusted IP address. This can be a major protection in the event employees’user names and passwords are compromised. • Use a cloud-based proxy server or a software-based proxy server to prevent users from going to sites that are associated with viruses, malware, or that are otherwise insecure. Take steps to ensure the secure transmission of customer information. For example: • When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit. • If you collect information online directly from customers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message. • If you must transmit sensitive data by email over the Internet, be sure to encrypt the data. Do due diligence and obtain appropriate assurances from third-party service providers who have access to your customer information and make sure their standards for protection are at least as comprehensive as yours. Reserve the right to do security audits of third-party vendors for compliance with required security standards. Dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. Be sure to:

hot topics / 2019 membership directory & services guide

PG 134

Made with FlippingBook - Online catalogs