16 CFR §314.4 — Elements (FTC GLBA Safeguards Rule)
16 CFR §314.4 enumerates the nine required elements of the written information security program under the FTC Safeguards Rule.
Verbatim regulatory text
Verbatim provisions from 16 CFR §314.4 — Elements (FTC GLBA Safeguards Rule) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
16 CFR §314.4(a) — Designate a Qualified Individual
(a) Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program (for purposes of this part, “Qualified Individual”).
16 CFR §314.4(b) — Written, periodic risk assessment
(b) Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
16 CFR §314.4(c)(1) — Access controls authenticate authorized users and enforce least privilege
(1) Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls to:
16 CFR §314.4(c)(3) — Encryption of customer information at rest and in transit over external networks
(3) Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.
16 CFR §314.4(c)(5) — Multi-factor authentication for any individual accessing any information system
(5) Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;
16 CFR §314.4(c)(6) — Secure disposal of customer information within two years of last use, with periodic retention review
(i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and
16 CFR §314.4(c)(8) — Monitor and log user activity to detect unauthorized access/use of or tampering with customer information
(8) Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
16 CFR §314.4(d)(2) — Continuous monitoring OR annual penetration test + semi-annual vulnerability assessment
(2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.
16 CFR §314.4(e) — Security awareness training and qualified security personnel
(e) Implement policies and procedures to ensure that personnel are able to enact your information security program by:
16 CFR §314.4(i) — Qualified Individual annual written report to board (or senior officer)
(i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body.
16 CFR §314.4(c)(1) — Access controls authenticate authorized users and enforce least privilege — enumerated items (chapeau recall fix)
(i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information ; and (ii) Limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information;
16 CFR §314.4(e) — Security awareness training and qualified security personnel — enumerated items (chapeau recall fix)
(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; (2) Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program; (3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and (4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.