Notifications & Messages

Jared Hamilton
From: Jared Hamilton
Hey - It’s time to join the thousands of other dealer professionals on DrivingSales. Create an account so you can get full access to the articles, discussions and people that are shaping the future of the automotive industry.
Erik Nachbahr, CISSP

Erik Nachbahr, CISSP President

Exclusive Blog Posts

Master Class Homework Packet: HCM Business Plan

Master Class Homework Packet: HCM Business Plan

For those of you in a Master Class, You’ve just learned about creating a Human Capital Management business plan and how it can systematically help…

Create Change with the People-Process-Technology Framework 

Create Change with the People-Process-Technology Framework 

How many times did you come back from a 20-group or a DSES 2020, DrivingSales Executive Summit, with a great idea that can help your organization get the r…

You Down with OTT? Yeah, You Know Me! | KPI Cafe Season 5 Episode 8

You Down with OTT? Yeah, You Know Me! | KPI Cafe Season 5 Episode 8

To finish out our season on budgeting, Reunion's CEO Dave Spannhake returns to discuss programmatic media with KPI Cafe's Host Dane Saville. From t…

Don't Forget About Your Managers.

Don't Forget About Your Managers.

When we are hit with an unprecedented situation - out of left field - it can easily derail your dealer's efforts. Sustaining everything you have worked…

How to Make Your Social More than Click | KPI Cafe Season 5 Episode 7

How to Make Your Social More than Click | KPI Cafe Season 5 Episode 7

Continuing our series on budgeting, CEO Dave Spannhake and Host Dane Saville dive into the setup of and best practices for your dealership's paid socia…

Not Ready for the CCPA? Take These Steps Before January.

By now California dealers are aware of the California Consumer Privacy Act (CCPA), which takes effect in January, 2020. This law requires businesses to take “reasonable measures” to secure consumers' personal and identifiable information (PII), such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The California Attorney General defines “reasonable measures" as compliance with 20 controls established by the Center for Internet Security (CIS). The amount of work required to get a typical dealership compliant is more than 1,200 hours and approximately six months, so if your dealership hasn’t started you’re unlikely to be compliant by the January deadline.

However, there are steps you can take to demonstrate that you’re working towards compliance, if you should need to do so for legal reasons. The first step is to order a GAP analysis.

GAP Analysis/Risk Assessment

A GAP analysis from a qualified vendor will determine the current state of your IT infrastructure, and where it falls short of CCPA requirements.

This process involves security experts who will inventory and assess all of your dealership’s hardware, software and network equipment to find areas of vulnerability.

Upon completion of this step, you’ll receive a remediation plan that identifies the gaps between where your dealership’s IT is now compared with the CIS Controls’ best practices. The remediation plan is basically a list of recommendations that include new hardware, software, policies, procedures and processes.

Depending on the current state of your IT it’s always possible that no new hardware, policies or procedures are needed. However, in most cases some updates will be necessary.

Since the CCPA wasn’t just written for dealerships, remediation steps won’t be required for all 20 CIS Controls. For example, CIS Control 18 relates to software development best practices, which don’t apply to most dealerships. As for the other controls, it’s important to know there’s some leeway in the interpretation of the CCPA’s “reasonable measures.” What’s reasonable for an auto dealership might not be reasonable for another type of business, and vice versa. This is why it’s important to hire security experts with knowledge of both the CCPA requirements and of the car business.

Once your GAP Analysis and remediation plan are complete, it’s time to start working on the controls. If you’re starting late, a reasonable goal is to complete the first five CIS controls:

Step 1: Inventory and Control of Hardware Assets

This control requires businesses to inventory, track and manage all hardware devices that connect to your network so that only authorized devices are given access.

Step 2: Inventory and Control of Software Assets

This control requires businesses to inventory, track and manage all software on the network so that only authorized software is installed. Additionally, you’re required to maintain an up-to-date list of all authorized software that includes the name, version and install date. Also, install and use a whitelisting tool to ensure that only authorized software can execute.

Step 3: Continuous Vulnerability Management

Information technology (IT) isn’t static. The CCPA requires that all businesses continuously acquire, assess and take action on new information in order to identify vulnerabilities and minimize opportunities for cybercriminals.

Step 4: Controlled Use of Administrative Privileges

To prevent hackers from gaining access to your system, the CCPA requires the use of tools designed to ensure that only authorized individuals have privileges. Additionally, multi-factor authentication and encrypted channels for all administrative account access are required.

Step 5:  Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

The default configurations on new hardware devices and software are geared towards ease of deployment, not for security. But many businesses never change these configurations, making it easy for cybercriminals to gain access to your system.

The CCPA requires businesses to develop secure configuration settings using configuration management tools. Once configured, these settings need to be continually monitored to prevent security decay as new vulnerabilities are reported.

These five controls are only a fraction of what needs to be done to protect your customer data, but the good news is they can be accomplished relatively quickly so that you can demonstrate your dealership is making the effort to become compliant.

 Unlock all of the community & features  Join Now