compliance

FTC Safeguards Rule Annual Risk Assessment Worksheet

Annual FTC Safeguards Rule risk assessment worksheet for auto dealers and financial institutions to document customer data risks, review safeguards, and assign remediation before sign-off.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Auto Dealerships · Financial Institutions · Consumer Finance · Insurance Agencies

9:41

Inspections

1 Assessment Scope and Recordkeeping

Assessment period documented Type here…

Business units and systems in scope identified ["choices",...×

Customer information categories inventoried ["choices",...×

Written risk assessment retained with supporting evidence !

✓ Yes ✗ No

2 Data Inventory and Information Flow

Data collection points mapped !

✓ Yes ✗ No

Storage locations documented !

✓ Yes ✗ No

Data transmission paths reviewed !

✓ Yes ✗ No

Retention and disposal controls defined

✓ Yes ✗ No

Unnecessary data minimized ★ ★ ★ ★ ★

3 Administrative and Governance Safeg...

Security officer designated !

✓ Yes ✗ No

Written information security program reviewed !

✓ Yes ✗ No

Security awareness training completed !

✓ Yes ✗ No

Access provisioning and termination process reviewed ★ ★ ★ ★ ★

Third-party oversight documented !

✓ Yes ✗ No

4 Technical Safeguards

Multi-factor authentication implemented for relevant access !

✓ Yes ✗ No

Encryption in transit and at rest verified !

✓ Yes ✗ No

Access logging and monitoring active !

✓ Yes ✗ No

Patch and vulnerability management current ★ ★ ★ ★ ★

Endpoint protection deployed on in-scope devices !

✓ Yes ✗ No

Privileged access reviewed !

✓ Yes ✗ No

5 Physical Safeguards and Facility Co...

Restricted areas protected from unauthorized access !

✓ Yes ✗ No

Paper records stored securely !

✓ Yes ✗ No

Workstations and screens protected from casual viewing

✓ Yes ✗ No

Secure disposal available for records and media

✓ Yes ✗ No

6 Risk Findings, Remediation, and App...

Deficiencies and non-conformances documented Type here…

Corrective action plan assigned Type here…

Residual risk accepted by management !

✓ Yes ✗ No

Inspector signature

✏️

Tap to sign

Overview

This worksheet is an annual written risk assessment for organizations that handle customer information and need to document how that information is protected. It is organized to walk from scope and recordkeeping, to data inventory and information flow, then through administrative, technical, and physical safeguards, and finally into findings, remediation, and approval. That structure helps the reviewer capture not just whether a control exists, but whether it is actually in place for the systems, people, and vendors that touch customer data.

Use this template when you need a repeatable record of the risks to customer information, the safeguards you reviewed, and the corrective actions assigned. It is especially useful for auto dealers and financial institutions subject to the FTC Safeguards Rule, but it can also support any internal security program that needs a written annual assessment. The worksheet is designed to surface deficiencies such as missing MFA, incomplete access termination, weak vendor oversight, or unsecured paper records before they become audit findings.

Do not use it as a generic cybersecurity checklist with no evidence trail. If your business does not collect customer information, or if you are looking for a one-time incident response form, this is the wrong template. It is also not a substitute for your written information security program; it is the assessment record that evaluates whether that program is working and where remediation is needed.

Standards & compliance context

The worksheet supports the FTC Safeguards Rule expectation for a written risk assessment that evaluates risks to customer information and the safeguards in place.
Its administrative, technical, and physical control sections align with common information security program expectations under FTC guidance and related industry practices.
The data inventory and third-party oversight sections help document the control environment expected in financial services and auto retail compliance reviews.
The remediation and approval section creates a written record of management review, which is useful when demonstrating accountability during an audit or exam.
If your organization also follows broader security frameworks such as ISO 27001 or NIST-style controls, this template can be mapped into those programs without changing its FTC focus.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Assessment Scope and Recordkeeping

This section matters because it defines the exact business units, systems, and customer information covered by the assessment and preserves the written record.

Assessment period documented (critical · weight 2.0)
Record the assessment period covered by this annual review.
Business units and systems in scope identified (critical · weight 3.0)
Select all business areas and systems that store, process, or transmit customer information.
Customer information categories inventoried (critical · weight 3.0)
Identify the categories of customer information maintained by the organization.
Written risk assessment retained with supporting evidence (critical · weight 3.0)
Confirm the assessment is documented and retained with supporting evidence, approvals, and remediation records.

Data Inventory and Information Flow

This section matters because you cannot assess risk accurately until you know where customer information is collected, stored, moved, retained, and destroyed.

Data collection points mapped (critical · weight 3.0)
Customer information collection points are identified for sales, service, finance, online forms, and third-party channels.
Storage locations documented (critical · weight 3.0)
All storage locations for customer information are documented, including cloud services, local devices, shared drives, and paper files.
Data transmission paths reviewed (critical · weight 3.0)
Inbound and outbound transmission paths for customer information are reviewed, including email, portals, APIs, fax, and file transfers.
Retention and disposal controls defined (weight 2.0)
Retention periods and secure disposal methods are defined for records containing customer information.
Unnecessary data minimized (weight 2.0)
Rate how effectively the organization limits collection and retention of customer information to what is needed.

Administrative and Governance Safeguards

This section matters because security ownership, training, access governance, and vendor oversight are often the first places control failures appear.

Security officer designated (critical · weight 4.0)
A qualified individual is designated to oversee the information security program.
Written information security program reviewed (critical · weight 4.0)
The written information security program has been reviewed and updated based on current risks and business changes.
Security awareness training completed (critical · weight 4.0)
Employees with access to customer information completed security awareness training within the required period.
Access provisioning and termination process reviewed (weight 3.0)
Rate the effectiveness of joiner, mover, and leaver access controls.
Third-party oversight documented (critical · weight 5.0)
Service providers with access to customer information are identified, reviewed, and monitored with appropriate contractual and security oversight.

Technical Safeguards

This section matters because it checks whether core protections like MFA, encryption, logging, patching, and endpoint defense are actually in place.

Multi-factor authentication implemented for relevant access (critical · weight 5.0)
MFA is implemented for access to systems containing customer information where required by policy and risk.
Encryption in transit and at rest verified (critical · weight 5.0)
Sensitive customer information is encrypted in transit and at rest, or compensating controls are documented where encryption is infeasible.
Access logging and monitoring active (critical · weight 4.0)
Logging, alerting, and monitoring are enabled for systems that store or process customer information.
Patch and vulnerability management current (weight 3.0)
Rate the effectiveness of patching and vulnerability remediation for in-scope systems.
Endpoint protection deployed on in-scope devices (critical · weight 3.0)
Antimalware/EDR controls are deployed and managed on endpoints that access customer information.
Privileged access reviewed (critical · weight 5.0)
Administrative and elevated access is limited, reviewed, and removed when no longer needed.

Physical Safeguards and Facility Controls

This section matters because paper files, workstations, and disposal practices can expose customer information even when digital controls are strong.

Restricted areas protected from unauthorized access (critical · weight 3.0)
Offices, file rooms, server closets, and other restricted areas are secured against unauthorized entry.
Paper records stored securely (critical · weight 2.0)
Paper records containing customer information are stored in locked cabinets or otherwise protected when not in use.
Workstations and screens protected from casual viewing (weight 2.0)
Screens, printers, and desks are positioned or configured to reduce unauthorized viewing of customer information.
Secure disposal available for records and media (weight 3.0)
Shredding, destruction, or secure media disposal methods are available and used for sensitive records and devices.

Risk Findings, Remediation, and Approval

This section matters because it turns observations into accountable corrective actions and records management acceptance of any remaining risk.

Deficiencies and non-conformances documented (critical · weight 3.0)
Summarize all identified deficiencies, non-conformances, and critical items that require remediation.
Corrective action plan assigned (critical · weight 3.0)
Document owners, target dates, and remediation steps for each finding.
Residual risk accepted by management (critical · weight 2.0)
Management has reviewed the results and accepted any remaining residual risk.
Inspector signature (critical · weight 2.0)
Inspector attestation that the annual risk assessment was completed accurately.

How to use this template

1. Enter the assessment period, business units, systems, and customer information categories so the worksheet clearly defines what is in scope.
2. Map where customer information is collected, stored, transmitted, retained, and disposed of, including paper files, shared drives, cloud tools, and vendor systems.
3. Review each safeguard section with the responsible owner, record what is implemented, and note any deficiencies or non-conformances with supporting evidence.
4. Assign corrective actions, owners, and due dates for every gap, then document any interim controls that reduce exposure while remediation is pending.
5. Confirm residual risk with management, capture the approval signature, and retain the completed worksheet with the evidence used to support the assessment.

Best practices

Document the actual systems and data flows in use today, not the ones described in old policies or org charts.
Treat paper records, printed reports, and exported spreadsheets as in-scope customer information, not as exceptions.
Verify MFA, encryption, logging, and endpoint protection by evidence or configuration review rather than by attestation alone.
Record each deficiency in observable terms, such as a missing access review or an unencrypted laptop, so remediation owners know exactly what to fix.
Review third-party access, remote support tools, and cloud sharing settings separately, because vendor risk often hides outside the core network.
Assign one owner and one due date for every corrective action so findings do not linger without accountability.
Keep the assessment tied to your written information security program so changes in policy, systems, or vendors trigger an update.

What this template typically catches

Issues teams running this template most often surface in practice:

Customer data exported to spreadsheets or local devices without encryption or access controls.

MFA enabled for some systems but not for remote access, admin accounts, or third-party portals.

Access termination delays after employee departures or role changes.

Incomplete logging or monitoring for privileged activity and sensitive data access.

Unpatched endpoints or unsupported devices still handling customer information.

Paper records stored in unlocked cabinets, open counters, or shared work areas.

Vendor access granted without documented review, contract controls, or periodic revalidation.

Residual risk accepted without a clear corrective action plan or management sign-off.

Common use cases

Auto Dealer Compliance Manager

Use this worksheet to document the annual review of dealership CRM data, finance applications, scanned deal jackets, and third-party service providers. It helps the compliance owner show where customer information lives and which safeguards are actually active.

Credit Union Security Officer

Use this template to capture the annual assessment of member data across core banking systems, email, endpoints, and branch paper files. It is useful for tracking remediation on access reviews, logging, and vendor oversight in one record.

Insurance Agency Operations Lead

Use this worksheet when multiple producers, shared drives, and cloud quoting tools all touch customer information. The structure helps separate technical controls from physical file handling and management approval.

Managed Service Provider Review

Use this template to evaluate the safeguards that apply to a client environment you administer, including remote access, privileged accounts, and endpoint protection. It gives you a clear place to document gaps and the actions needed to close them.

Frequently asked questions

Who should use this FTC Safeguards Rule annual risk assessment worksheet?

Use it if your organization is an auto dealer or financial institution subject to the FTC Safeguards Rule and you need a written annual risk assessment. It is also useful for any business that stores customer information and wants a structured record of risks, controls, and remediation. The worksheet is designed for the person coordinating compliance, not just IT, so it can capture governance, technical, and physical safeguards together. If you are outside the rule’s scope, you can still adapt it as an internal security review template.

How often should this assessment be completed?

This worksheet is built for an annual risk assessment, which is the normal cadence expected under the FTC Safeguards Rule. Many organizations also update it after major changes such as a new system, a vendor change, a security incident, or a merger. If your data flows or access model change mid-year, waiting until the next annual cycle can leave a gap in your written record. The template helps you keep a dated assessment history and show when follow-up actions were assigned.

What does the template cover that an ad hoc checklist usually misses?

It ties together scope, data inventory, safeguards, findings, remediation, and approval in one written record. Ad hoc checklists often miss the evidence trail, the residual risk decision, or the connection between a specific deficiency and the corrective action assigned. This worksheet also forces you to document where customer information is collected, stored, transmitted, and disposed of, which is where many assessments become incomplete. That structure makes it easier to defend the review during an audit or exam.

What kinds of customer information and systems should be included?

Include the customer information categories and systems that are actually in scope for your business, such as application data, paper records, shared drives, cloud tools, email, endpoints, and third-party platforms. The template is meant to capture where information enters the business, where it is stored, and how it moves between teams or vendors. It should not be limited to the core system of record if staff export data to spreadsheets or local devices. If a system can access customer information, it belongs in the inventory.

Who should complete and approve the worksheet?

The assessment is usually coordinated by the designated security officer or compliance lead, with input from IT, operations, and business owners. Technical safeguards should be validated by someone who understands the environment, while governance and remediation decisions should be reviewed by management. The approval section is important because it records who accepted the residual risk and who owns the follow-up actions. That division of responsibility helps prevent the worksheet from becoming a purely IT document.

How does this template align with FTC Safeguards Rule expectations?

It is structured to support the written risk assessment, safeguard review, and remediation tracking expected under the FTC Safeguards Rule. The sections cover administrative, technical, and physical safeguards, plus data inventory and third-party oversight, which are common exam focus areas. It also creates a place to document deficiencies and management approval, which helps show that risks were evaluated and not just noted. You should still tailor the content to your actual program and business model.

What are the most common mistakes when using this worksheet?

Common mistakes include listing controls without checking whether they are actually enabled, leaving out paper records and exported files, and failing to assign owners for remediation. Another frequent issue is treating the assessment like a one-time form instead of a written record that reflects current systems and vendors. Teams also sometimes skip residual risk approval, which leaves the record incomplete. The template is most useful when every finding has a clear owner, due date, and status.

Can this worksheet be customized for vendors, cloud tools, or multiple locations?

Yes. You can add vendor-specific review fields, separate business units by location, or expand the data flow section to cover cloud storage, managed service providers, and remote access. If you use multiple systems or franchises, it helps to duplicate the inventory and safeguard sections for each environment so the assessment stays specific. The template is intentionally editable so you can match your actual operating model instead of forcing everything into one generic checklist. That makes it easier to reuse year after year.

How does this fit with other security frameworks or audits?

This worksheet can complement ISO 9001-style audit records, internal security reviews, and vendor oversight programs, but it is written for FTC Safeguards Rule compliance. If you already maintain a broader information security program, you can map the findings from this assessment into your existing corrective action process. It also works well alongside incident response, access review, and training records because those documents often provide the evidence this worksheet references. The key is to keep the annual assessment as the central written summary.

Related templates

Inspections

Spot Delivery Conditional Sale Agreement Audit Checklist

Audit a spot delivery file before the vehicle leaves the lot. This checklist helps verify the con...

Inspections

Credit Application Compliance Audit

This Credit Application Compliance Audit template checks store-branded credit card application st...

Inspections

Commercial Account Tax Exemption Certificate Audit

Audit each commercial account’s resale or exemption certificate, confirm it matches the account a...

Inspections

Hair Care Aisle Planogram Compliance Audit

Use this hair care aisle planogram compliance audit to verify shampoo, conditioner, treatment, an...

Inspections

Patient Room Daily Cleaning

Patient Room Daily Cleaning is an EVS inspection template for verifying daily room turnover after...

Forms

Dealership Cybersecurity Incident Response Log

Log a dealership cybersecurity incident, document what systems and data were affected, and track ...

Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Go deeper on the topic

Related concepts

Predictive Scheduling Law

Predictive scheduling laws — also called fair workweek laws or secure scheduling — require employers in covered industries to publish employee schedules...
Overtime Calculation

Overtime calculation is the process of applying federal, state, local, and contractual rules to hours worked to determine the correct pay — including...
Near-Miss Reporting

A near-miss is an event that could have caused injury or damage but didn't — a slip that didn't fall, a load that shifted but didn't drop, a machine that...
Lockout/Tagout

Lockout/tagout (LOTO) is the procedure for controlling hazardous energy — electrical, hydraulic, pneumatic, mechanical, thermal, chemical — before...

Related guides

Simplifying Local Government With Mobile Capabilities

Mobile capabilities help local government field teams stay connected, access SOPs offline, and boost productivity anywhere.
Make The Most Out Of Information With MangoApps Forms

See how MangoApps Forms helps teams collect, track, and analyze employee data in real time — with mobile access, file uploads, and enterprise-grade security.
MangoApps Suite for Complete Customer Experience

See how MangoApps Community Suite improves customer experience through visual communication, onboarding, collaboration, and knowledge management in one...
From Copilot to Infrastructure: How MangoApps Spring '26 Embeds AI Across the Platform

Spring '26 brings AI Course Creation, Power BI-connected AI Agents, and smarter content governance to MangoApps. See what's new across the platform.

Ready to use this template?

Get started with MangoApps and use FTC Safeguards Rule Annual Risk Assessment Worksheet with your team — pricing built for small business.

Get Started Customize with AI