FTC Safeguards Rule Annual Risk Assessment Worksheet

Annual written information security risk assessment worksheet for auto dealers and other financial institutions subject to the FTC Safeguards Rule (16 CFR Part 314). Use this template to document identified risks to customer information, evaluate safeguards, and record required remediation and approvals.

Assessment Scope and Recordkeeping

• Assessment period documented
  Record the assessment period covered by this annual review.
• Business units and systems in scope identified
  Select all business areas and systems that store, process, or transmit customer information.
• Customer information categories inventoried
  Identify the categories of customer information maintained by the organization.
• Written risk assessment retained with supporting evidence
  Confirm the assessment is documented and retained with supporting evidence, approvals, and remediation records.

Data Inventory and Information Flow

• Data collection points mapped
  Customer information collection points are identified for sales, service, finance, online forms, and third-party channels.
• Storage locations documented
  All storage locations for customer information are documented, including cloud services, local devices, shared drives, and paper files.
• Data transmission paths reviewed
  Inbound and outbound transmission paths for customer information are reviewed, including email, portals, APIs, fax, and file transfers.
• Retention and disposal controls defined
  Retention periods and secure disposal methods are defined for records containing customer information.
• Unnecessary data minimized
  Rate how effectively the organization limits collection and retention of customer information to what is needed.

Administrative and Governance Safeguards

• Security officer designated
  A qualified individual is designated to oversee the information security program.
• Written information security program reviewed
  The written information security program has been reviewed and updated based on current risks and business changes.
• Security awareness training completed
  Employees with access to customer information completed security awareness training within the required period.
• Access provisioning and termination process reviewed
  Rate the effectiveness of joiner, mover, and leaver access controls.
• Third-party oversight documented
  Service providers with access to customer information are identified, reviewed, and monitored with appropriate contractual and security oversight.

Technical Safeguards

• Multi-factor authentication implemented for relevant access
  MFA is implemented for access to systems containing customer information where required by policy and risk.
• Encryption in transit and at rest verified
  Sensitive customer information is encrypted in transit and at rest, or compensating controls are documented where encryption is infeasible.
• Access logging and monitoring active
  Logging, alerting, and monitoring are enabled for systems that store or process customer information.
• Patch and vulnerability management current
  Rate the effectiveness of patching and vulnerability remediation for in-scope systems.
• Endpoint protection deployed on in-scope devices
  Antimalware/EDR controls are deployed and managed on endpoints that access customer information.
• Privileged access reviewed
  Administrative and elevated access is limited, reviewed, and removed when no longer needed.

Physical Safeguards and Facility Controls

• Restricted areas protected from unauthorized access
  Offices, file rooms, server closets, and other restricted areas are secured against unauthorized entry.
• Paper records stored securely
  Paper records containing customer information are stored in locked cabinets or otherwise protected when not in use.
• Workstations and screens protected from casual viewing
  Screens, printers, and desks are positioned or configured to reduce unauthorized viewing of customer information.
• Secure disposal available for records and media
  Shredding, destruction, or secure media disposal methods are available and used for sensitive records and devices.

Risk Findings, Remediation, and Approval

• Deficiencies and non-conformances documented
  Summarize all identified deficiencies, non-conformances, and critical items that require remediation.
• Corrective action plan assigned
  Document owners, target dates, and remediation steps for each finding.
• Residual risk accepted by management
  Management has reviewed the results and accepted any remaining residual risk.
• Inspector signature
  Inspector attestation that the annual risk assessment was completed accurately.