Becoming compliant with the Federal Trade Commission (FTC) is a great milestone for any organization. It marks the beginning of your ongoing cyber activities to protect client non-public information (NPI).

The DCS Core-Safeguards Rule maintenance packages are subscription-based services that address critical activities cruciial to maintaining compliance and helping protect client NPI.

The maintenance packages are available in three service offerings. They range from basic activities to full virtual Chief Compliance Officer services where we manage the majority of your FTC Safeguards Rule compliance activities. Regardless of your compliance, these activities are best practices to maintain a healthy cyber security posture.

Duffy Compliance Services Core-Safeguards Rule maintenance packages

Overall Value to You:

Reduces stress and burden of compliance

  • Our cyber security experts serve as your Safeguards Rule Qualified Individual (QI), reducing the stress and burden of complying with the FTC SGR.
  • The higher the service level, the less you need to worry about.
  • Safeguard Rule requirements related to security assessments, risk assessments, vulnerability scan report review/recommendations, vendor review, and QI Reporting are services we keep up to date for you.
  • We track scheduling and logistics for all engagements, so you don’t have to.
  • Our handling of your compliance regulations allows your staff to focus on core business activities.
  • You will always be ready to provide your most recent security assessment/report from a client, stakeholder, or regulator request. Up-to-date requirement assessment, risk assessment, QI reports, and monitoring reports/records are always available to you.
  • Independent, 3rd party performs these assessments. Some MSP’s may offer this service, but that is like the fox watching the hen house.

Save Money

  • Easy to budget for because of our fixed costs offering.
  • The maintenance program includes 20% savings off standard project rates and up to 30% for multi-year commitment.
  • Removes direct staff costs of outsourcing every project event.

Save Time

  • Reduces your staff’s assignments of ongoing compliance requirements so they can focus on core business activities, rather than ancillary tasks like assessments.

 FTC Safeguards Rule QI Packages

Assess Controls [16 CFR Part 314.4(d)(1)]:

This is an assessment of all Safeguards Rule requirements contained in section 314.3 and 314.4. It is common industry practice that assessments occur annually. This assessment reviews whether you comply with the security requirements, as well as with your own security policies and procedures. Any identified deficiencies would be added to a plan of action for remediation/mitigation activities.

Assessments are labor intensive and require trained individuals to complete. Performing a proper assessment means the assessor must have a strong understanding of industry tools, methodologies, and configurations needed to implement an effective system.

Conduct Risk Assessments [16 CFR Part 314.4(b)]:

Risk assessments at the organizational level are required to be performed periodically. Company decision makers can use this information to prioritize remediation or mitigation activities.

DCS will conduct an annual Risk Assessment of your business, related to the Safeguards Rule and the protection of NPI. Risk Assessments differ from vulnerability scanning in that they identify potential threat actors, threat events, likelihood of threat events, and impact to systems and assets that directly relate to the Safeguards Rule. Risk Assessments also provide company decision makers a path to prioritize remediation or mitigation activities. They help executives understand the threats to the business, not just to the devices on the network. Risk Assessments ultimately provide the overall business risk and expose the robustness of the cybersecurity program.

Annual Safeguards Rule Security Posture report [16 CFR Part 314.4(i)]:

Your designated Qualified Individual (QI) must provide an annual report that describes the security posture of the covered business to address compliance with the Safeguards Rule, identified risks, security assessment results, service provider safeguards, events or vulnerabilities detected, and any recommended changes to the security program.

Acting as your QI, DCS will provide an annual state-of-the-system report to meet the Safeguards Rules requirements. This report allows client decision makers to make business and system decisions (including allocation of resources) to support and continue their compliance with the Safeguards rule.

Annual Vendor Evaluation [16 CFR Part 314.4(f)(1) & (f)(3)]:

The Safeguards Rule requires covered entities to select and retain service providers who also maintain proper information safeguards, and to periodically reevaluate them. With a multitude of managed service providers eager to manage your system, how do you know if they have adequate protections in place? What questions should you ask? How do you know if their answers are acceptable? A primary area of expertise for Duffy is in performing assessments and audits of businesses. We schedule annual evaluations on your behalf for all vendors whose product or service is used to store, transmit, or process NPI. All you need to do is review the information and make decisions based on it.

This annual evaluation is used to ensure the provider can protect NPI data. This service involves DCS reviewing the vendor responses to our questions to help us verify that they maintain appropriate information security safeguards to protect client data.

Vulnerability Report Review and Recommendations [16 CFR Part 314.4(d)(2)(ii)]:

Periodically conducting vulnerability scans or penetration tests are standard methods to ensure detectable vulnerabilities are addressed and removed. Duffy experts can help the current IT staff make effective recommendations on how to prioritize and fix discovered issues.

This service provides an independent, unbiased review of the vulnerability scanning results related to company assets supporting the Safeguards Rule. DCS will provide the analysis of the scan/assessment and provide recommendations on remediations as frequently as monthly. DCS can also perform the vulnerability scanning services as an additional service.

As your advocate, you will get honest information on the threats and vulnerabilities identified in your system, so you can make decisions that make sense for you, without tactics designed to get you to buy more software or services.

Annual IR Tabletop Exercise:

DCS will develop incident response scenarios and conduct an annual tabletop exercise to test your incident response preparedness. DCS will run the exercise and compile an after-action report that can be used to help improve your incident response processes.

Security Awareness Training:

DCS will provide you with annual security awareness training that covers general security awareness, role-based training, and insider threat training.

Our training modules cover a wide range of topics, including phishing awareness, password management, data protection, social engineering, device security, and much more.

Red Flags Training:

To be in compliance with the Red Flags Rule, organizations must provide appropriate employees with red flags rule training to identify and mitigate identity theft. This training includes types of identity theft, consequences to the business of consumer identity theft, required elements of a Red Flags Identity Theft Program, categories of red flags and how to detect them, and more.

Virtual Chief Compliance Officer (vCCO):

The Chief Compliance Officer ensures that an organization adheres to laws, regulations, and internal policies relevant to its industry. This includes overseeing ethical standards, managing risk, and implementing compliance programs. In some cases, especially for smaller businesses or organizations with budget constraints, hiring a full-time, on-site CCO may not be cost effective. DCS can serve as a vCCO to provide compliance expertise on a more flexible basis.

POAM Management:

Through the course of maintaining your FTC Safeguards Rule compliance, there will be many assessments and tests that will identify new system modification/upgrades as well as any deficiencies and vulnerabilities within your system. For this service, DCS will take the lead and manage those action items for you. This includes hours for updating related documentation as well as serving as the project manager for remediation that must be outsourced, such as fixes that must be performed by your Managed Service Provider (MSP).

 FTC Safeguards Rule QI Packages

Annual Assessment of all SGR Security Controls
Annual Risk Assessment
QI Annual Report
Annual Vendor Evaluations
Vulnerability Management
Annual IR tabletop Exercise
Security Awareness Training
Red Flags Training
Virtual Chief Compliance Officer (vCCO)
POAM Management
SGR-QI Basic
SGR-QI Core Plus
SGR-QI Core Premium

Assess CMMC Controls: We assess your organization against all 110 CMMC controls and 320 assessment objectives, spread out either quarterly or semi-annually. This assessment is a requirement of CMMC.  Our program is designed to conduct this assessment over the course of the year to reduce headaches of an all-at-once assessment, which can cause major disruption to business activities.

Conduct Risk Assessments: DCS will conduct an annual Risk Assessment of your business to identify potential threat actors, threat events, likelihood of threat events, and impact to systems and assets that directly relate to protecting CUI.

Test Incident Response Capabilities: DCS will develop incident response scenarios and conduct an annual tabletop exercise to test your incident response preparedness. DCS will run the exercise and compile an after-action report that can be used to help improve your incident response processes.

Vulnerability Management: This service provides an independent, unbiased review of the vulnerability scanning results. DCS will provide the analysis of the scan/assessment and provide recommendations on remediations as frequently as monthly. DCS can also perform vulnerability scanning services as an additional service.

Security Awareness Training: DCS will provide you with annual security awareness training that covers general security awareness, role-based training, and insider threat training.

Virtual Chief Compliance Officer (vCCO): The Chief Compliance Officer ensures that an organization adheres to laws, regulations, and internal policies relevant to its industry. This includes overseeing ethical standards, managing risk, and implementing compliance programs. In some cases, especially for smaller businesses or organizations with budget constraints, hiring a full-time, on-site CCO may not be cost effective. DCS can serve as a vCCO to provide compliance expertise on a more flexible basis.

POAM Management: Through the course of maintaining your CMMC certification, there will be many assessments and tests that will identify new system modification/upgrades as well as any deficiencies and vulnerabilities within your system.  For this service, DCS will take the lead and manage those action items for you. This includes hours for updating of CMMC related documentation as well as serving as the project manager for remediation that must be outsourced, such as fixes that must be performed by your Managed Service Provider (MSP).

CMMC Assessment Support: DCS will support your company during the CMMC assessment process by helping you submit documentation to your chosen C3PAO, serve as the company liaison during the CMMC assessment process, and help remediate any POAM items identified during the CMMC assessment.

Interested in learning more?

We help you navigate through regulatory compliance by removing the stress of the unknowns. We make sense of complex cybersecurity and compliance jargon and create best practices for you.

Contact Duffy Compliance today.

We can help as a Fractional Compliance Officer, CUI compliance, CMMC, Cyber Security Awareness Training, Supplier Performance Risk System (SPRS) Consulting, and more. We have several decades of cybersecurity and compliance experience in Maryland, the Greater Washington DC area, and beyond.