FTC Provides Practical Guidance for Cyber Risk Management

The U.S. Federal Trade Commission has published practical guidance for cyber risk management that is useful for organizations of all kinds and sizes.

Start with Security: A Guide for Business specifies ten fundamental cyber risk management principles based on lessons learned from the FTC’s law enforcement actions to June 2015. The Stick with Security blog posts supplement those principles with additional insights and hypothetical examples from the FTC’s data security investigations.

Following are the ten principles (and related rules) discussed in the Stick with Security blog posts:

1.         Stick with security. Don’t collect personal information you don’t need. Hold on to information only as long as you have a legitimate business need. Don’t use personal information when it’s not necessary. Train your staff on your standards, and make sure they’re following through. When feasible, offer consumers more secure choices.

2.         Control access to data sensibly. Restrict access to sensitive data. Limit administrative access.

3.         Require secure passwords and authentication. Insist on complex and unique passwords. Store passwords securely. Guard against brute force attacks. Protect sensitive accounts with more than just a password. Protect against authentication bypass.

4.         Store sensitive personal information securely and protect it during transmission. Keep sensitive information secure throughout its lifecycle. Use industry-tested and accepted methods. Ensure proper configuration.

5.         Segment your network and monitor who’s trying to get in and out. Segment your network. Monitor activity on your network.

6.         Secure remote access to your network. Ensure endpoint security. Put sensible access limits in place.

7.         Apply sound security practices when developing new products. Train your engineers in secure coding. Follow platform guidelines for security. Verify that security features work. Test for common vulnerabilities.

8.         Make sure your service providers implement reasonable security measures. Do your due diligence. Put it in writing. Verify compliance.

9.         Put procedures in place to keep your security current and address vulnerabilities that may arise. Update and patch software. Plan how you will deliver security updates for your product’s software. Heed credible security warnings and move quickly to fix the problem.

10.       Secure paper, physical media, and devices. Securely store sensitive files. Protect devices that process personal information. Keep safety standards in place when data is en route. Dispose of sensitive data securely.

The FTC’s guidance provides a useful summary of important cyber risk management best practices that are consistent with guidance issued by Canadian government agencies, regulators and self-regulatory organizations. For example, see Cybersecurity Guidance from Canadian Securities Administrators, Cybersecurity Guidance for Small and Medium Size Enterprises, Cyber Risk Management Guidance from the Canadian Securities Administrators, Cybersecurity Guidance from Mutual Fund Dealers Association of Canada, Cybersecurity Guidance from Investment Industry Regulatory Organization of Canada, and Cyber Risk Management Guidance from Financial Institution Regulators.

Preparing for Compliance with Canadian Personal Information Security Breach Obligations

G-7 Guidelines for Cybersecurity Assessment