ThreatLocker and the FTC Safeguards Rule

6 min. readlast update: 06.14.2023

 

The FTC Safeguards Rule was created to lay out specific safeguards that covered entities must put into place to protect consumer information. Covered entities include all financial institutions within the FTC’s jurisdiction that aren’t subject to another enforcement authority. This includes mortgage lenders, credit counselors, car dealers, tax preparation firms, and more. For these covered entities, by June 2023, they must implement the Safeguards Rule. Title 16, Chapter 1, Subchapter C, Part 314, §314.4 outlines the criteria for building a “reasonable” information security program.  

When configured correctly, ThreatLocker can assist organizations in becoming compliant with the FTC Safeguards Rule. We have done our best to identify how ThreatLocker can assist in meeting the Standards and Elements of §314.3. Where an Element or Standard is not specified, ThreatLocker does not currently support it. 

§314.3 Standards for safeguarding customer information. 

(a)Information security program.  You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. 

(b)Objectives. The objectives of section 501(b) of the Act, and of this part, are to:  

  • (1) Insure the security and confidentiality of customer information;  
  • (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and  
  • (3) Protect against unauthorized access to or use of such information that could result insubstantial harm or inconvenience to any customer.” 
  • ThreatLocker can assist with meeting the objectives listed above. Application Allowlisting prohibits anything you haven't specifically permitted from running in your environment.  This helps protect against threats and hazards to protect the security and confidentiality of customer data. 
  • Ringfencing™ can be configured to eliminate the ability of applications to access your files, the internet, the registry, and other applications such as the powerful built-in Windows tools that are commonly exploited, protecting against threats and hazards. 
  • Storage Control provides the capability to control access to your protected data and permit access to only the user and applications that require access. 
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps (i.e., automated notifications or blocking access) if the parameter is met. 
  • ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.    

§314.4 Elements 

(b)(2)“You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.” 

  • ThreatLocker can assist with (b)(2). ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for revision. 
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 

(c)(1)(ii) - ”Design and implement safequards to control the risks you identify through risk assessment, including by implementing and periodically reviewing access controls, including technical and, as appropriate, physical control to: limit authorized user’ access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information;” 

  • ThreatLocker can assist with (c)(1)(ii). ThreatLocker Storage Control enables you to limit access to storage locations to only specific users and applications that need access to those locations to help protect consumer data.  

(c)(3)“Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your Qualified Individual:” 

  • ThreatLocker can assist with (c)(3). Storage Control can enforce encryption on external media. Set policies so that only encrypted external devices can access data locations. 
  • Configuration Manager policies can be used to alert if BitLocker is not enabled on ThreatLocker protected computers, helping ensure data at rest is encrypted. 

(c)(8)“Implement policies, procedures, and control designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.” 

  • ThreatLocker can assist with (c)(8). The Unified Audit creates a near-real-time log of all file access, including the hostname, name of the logged-in user, and file name. It will record if the access or attempt was a read, write, delete, or move. The Unified Audit log is retained for 30 days by default but can be extended if desired. These logs are not editable and can’t be deleted. The logs will automatically be deleted at the end of their retention period. 

(d)(1)“Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.” 

  • ThreatLocker can assist with (d)(1)(ii). ThreatLocker Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment, traceable to the logged-in user to provide a central location from which you can monitor the activity occurring in your environment. 
  • Utilizing Storage Control file access will be audited.  
  • Application Allowlisting will enable the auditing of application usage.
  • Network Control will log all network activity, including the source IP address.  
  • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision.  
  • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.
Was this article helpful?