Why You Need a Safeguards Rule Qualified Individual (QI)
Any organization that collects financial data from their clients needs a Qualified Individual (QI) to meet the recently enforced FTC Standards for Safeguarding Customer Information regulation, better known as the FTC Safeguards Rule. This includes mortgage lenders, “pay day” lenders, companies that make loans, landscapers, automotive, mortgage brokers, account servicers, check casher, wire transferor, travel agencies operated in connection with financial services, collection agencies, credit counselors or financial advisors, and tax preparation firms.
The Safeguards Rule provides specific standards to protect the customer information that is entrusted to financial institutions. One of the very first control elements within the Safeguard Rule is to designate a “Qualified Individual” (QI) who is responsible for overseeing and implementing the company’s information security program.
The most common question is “What is the qualified individual’s role, and how do we go about finding someone who will meet our needs?” This individual will be critical to your success in complying with the Safeguards Rule. A QI should have the necessary expertise and qualifications to effectively manage and maintain the program, as information security is crucial in protecting sensitive customer data.
With that question in mind, here are 7 things to consider when searching for your safeguards rule qualified individual (QI):
1. Do they have experience with and understand IT governance, risk management, and compliance?
To be effective in the QI role, the individual must have a firm grasp on how the company’s governance activities (i.e., policies, procedures, plans, etc.), risk assessment, and risk management activities converge with the company’s compliance to the Safeguards Rule. That insight is one of the most important aspects and will determine how effectively they can assess your IT security posture and make recommendations to make it better.
2. Do they have experience assessing and auditing information security/cyber security systems?
Many people in the IT community come to the table with technical experience in the form of IT systems or network administration. However, sound assessment skills are more difficult to find. A good assessor knows how to interpret the bigger picture and convert that into pointed interviewing, as well as examining and testing techniques to determine the true state of your compliance and security posture. Skimming through yes/no type questions is not sufficient.
3. Do they have tools/processes/resources in place to validate compliance?
This goes hand in hand with the previous point. To effectively evaluate the system, an assessor must have solid resources at their disposal. They need to have a good plan and the means to execute that plan. And then they need to translate the results into actionable, understandable results and recommendations that you can use to improve your system.
4. Do they have experience in conducting and/or interpreting vulnerability scanning and penetration testing results?
This is a key component of the Safeguards Rule. Vulnerability scanning identifies weaknesses within your system, while penetration testing helps identify whether an actual attacker could exploit those weaknesses. These are specialized skills and are usually a much smaller subset of IT/cybersecurity professionals.
5. Do they have experience with on-premises, cloud, and/or hybrid environments?
As companies move away from locally hosted storage and applications, it is important that the QI understands the benefits and challenges of these different scenarios.
6. Do they have experience in evaluating the supply chain?
It is one thing to evaluate your own IT systems, but that doesn’t necessarily translate to being able to adequately evaluate all the service providers and software vendors that are used in your business operations. If those providers/vendors store your client information, then they are a potential source of compromise. So it is critical to know what to ask them and then interpret their response so you can make informed decisions on the risks of using them.
7. Are they independent?
One of the first places companies look when searching for a QI is to their managed service provider. This is generally not considered best practice as it is akin to the fox watching the hen house. One of the core concepts of cyber security and corresponding frameworks is that of least privilege and separation of duties. There is an inherent conflict of interest in having the same company perform the assessment and managing the system. The auditing/assessing functions need to be performed by independent parties.
The questions above are indicative to what the QI will need to evaluate your security posture and comply with the Safeguards Rule. While you could use an internal person as your QI, do they have the time, resources, and expertise? You could also bring on a dedicated individual, but hiring someone with all these skills is expensive! Most service providers are great at managing your IT infrastructure, but they fall short on documentation. More importantly, they should not be assessing their own work. So even if that is a service that is offered, the best practice is to have a third-party firm do it.
Duffy Compliance Services checks all these boxes without your needing to hire a dedicated safeguards rule qualified individual (QI). Let us help address these areas and help you get and maintain FTC Safeguards Rule compliance.