Run FTC Safeguards Rule Annual Risk Assessment Worksheet — Free

Assessment Scope and Recordkeeping

Assessment period documented critical (required)

Record the assessment period covered by this annual review.

Business units and systems in scope identified critical (required)

Select all business areas and systems that store, process, or transmit customer information.

Note (optional)

Customer information categories inventoried critical (required)

Identify the categories of customer information maintained by the organization.

Note (optional)

Written risk assessment retained with supporting evidence critical (required)

Confirm the assessment is documented and retained with supporting evidence, approvals, and remediation records.

Yes No N/A

Data Inventory and Information Flow

Data collection points mapped critical (required)

Customer information collection points are identified for sales, service, finance, online forms, and third-party channels.

Yes No N/A

Storage locations documented critical (required)

All storage locations for customer information are documented, including cloud services, local devices, shared drives, and paper files.

Yes No N/A

Data transmission paths reviewed critical (required)

Inbound and outbound transmission paths for customer information are reviewed, including email, portals, APIs, fax, and file transfers.

Yes No N/A

Retention and disposal controls defined

Retention periods and secure disposal methods are defined for records containing customer information.

Yes No N/A

Unnecessary data minimized

Rate how effectively the organization limits collection and retention of customer information to what is needed.

Administrative and Governance Safeguards

Security officer designated critical (required)

A qualified individual is designated to oversee the information security program.

Yes No N/A

Written information security program reviewed critical (required)

The written information security program has been reviewed and updated based on current risks and business changes.

Yes No N/A

Security awareness training completed critical (required)

Employees with access to customer information completed security awareness training within the required period.

Yes No N/A

Access provisioning and termination process reviewed

Rate the effectiveness of joiner, mover, and leaver access controls.

Third-party oversight documented critical (required)

Service providers with access to customer information are identified, reviewed, and monitored with appropriate contractual and security oversight.

Yes No N/A

Technical Safeguards

Multi-factor authentication implemented for relevant access critical (required)

MFA is implemented for access to systems containing customer information where required by policy and risk.

Yes No N/A

Encryption in transit and at rest verified critical (required)

Sensitive customer information is encrypted in transit and at rest, or compensating controls are documented where encryption is infeasible.

Yes No N/A

Access logging and monitoring active critical (required)

Logging, alerting, and monitoring are enabled for systems that store or process customer information.

Yes No N/A

Patch and vulnerability management current

Rate the effectiveness of patching and vulnerability remediation for in-scope systems.

Endpoint protection deployed on in-scope devices critical (required)

Antimalware/EDR controls are deployed and managed on endpoints that access customer information.

Yes No N/A

Privileged access reviewed critical (required)

Administrative and elevated access is limited, reviewed, and removed when no longer needed.

Yes No N/A

Physical Safeguards and Facility Controls

Restricted areas protected from unauthorized access critical (required)

Offices, file rooms, server closets, and other restricted areas are secured against unauthorized entry.

Yes No N/A

Paper records stored securely critical (required)

Paper records containing customer information are stored in locked cabinets or otherwise protected when not in use.

Yes No N/A

Workstations and screens protected from casual viewing

Screens, printers, and desks are positioned or configured to reduce unauthorized viewing of customer information.

Yes No N/A

Secure disposal available for records and media

Shredding, destruction, or secure media disposal methods are available and used for sensitive records and devices.

Yes No N/A

Risk Findings, Remediation, and Approval

Deficiencies and non-conformances documented critical (required)

Summarize all identified deficiencies, non-conformances, and critical items that require remediation.

Corrective action plan assigned critical (required)

Document owners, target dates, and remediation steps for each finding.

Residual risk accepted by management critical (required)

Management has reviewed the results and accepted any remaining residual risk.

Yes No N/A

Inspector signature critical (required)

Inspector attestation that the annual risk assessment was completed accurately.

Get your results

Enter your email — we'll send you a PDF of your filled-out template, plus the occasional MangoScoop newsletter (templates, workflow tips, product updates). Unsubscribe anytime — link is in every email.

Email (required)

Your name (optional)

Run: FTC Safeguards Rule Annual Risk Assessment Worksheet

Assessment Scope and Recordkeeping

Data Inventory and Information Flow

Administrative and Governance Safeguards

Technical Safeguards

Physical Safeguards and Facility Controls

Risk Findings, Remediation, and Approval

Get your results