< Return to the Advisories / Newsletters List

Access Controls Safeguard Customer Information

Saturday, October 01, 2011

Access Controls Safeguard Customer Information
By Trevor Foo, CISA, CISM, MCSE, MCDBA (tfoo@mbafcpa.com)
published in Professional Auto News

Besides the reams and piles of paper on which most dealerships capture, store, and transmit customer information, there are many technology systems that are also used. There is of course the DMS, the email server, the local area network (LAN), and let’s not to forget the many workstations that are used to access the DMS, LAN, and Internet-based systems from the various manufacturers or creditors. All of these devices and systems capture, store, or process customer information. The presence of all of this information, coupled with several regulations (Gram Leach Act 1999 and ID Theft Red Flag 2007) and standards (Payment Card Industry Standard — Data Security Standards) related to safeguarding non-public customer information, have placed dealerships in the same category as financial institutions. All of these regulations highlight the need to manage access to customer information as a key control.

Physical Access Controls

Physical access controls refers to the measures taken to prevent someone from walking up to your information technology (IT) asset (e.g. PC, Server, or other network device) and accessing information stored on it. Some practical recommendations any organization can follow are:

  1. place the servers and other critical network equipment in a secure room that only grants access to authorized employees;
  2. maintain a record of all access to the server by unauthorized persons such as vendors, auditors, employees outside of the IT department;
  3. implement network policies to automatically lock all workstation after 15 minutes or less of inactivity;
  4. secure access points (wired and wireless) in public areas.

Logical Access Controls

Logical access controls are those measures that are implemented and enforced as part of the various applications and systems to prevent unauthorized access to sensitive customer information. There are two main sub categories of logical access controls:

  1. Password Management
  2. Data Access Controls

Password Management

Typically, security is compromised by the weakest link and the weakest link can be an easily guessed or intercepted password. Quite often a dealership may have a strong password policy for its DMS but completely neglects the LAN password policy since "there is no customer information stored on the local servers". This is very similar to having no security on the front door of your home while you install heavy locks on the bedroom door because this is where you keep your most valuable items. Often reports are run on the DMS and exported to the local servers for later reference or an employee may maintain duplicate data in an Excel or Word document on their local PC. Therefore, it is highly recommend that password policies are standardized across all platforms and applications.

Default passwords shipped with servers, operating system software, or applications should always be changed when the hardware or application is installed or implemented. Use passwords that meet minimum basic standards. Some basic password guidelines include configuration of:

  • Enforce password history - This setting prohibits users from reusing old passwords. Recommended setting: 24;
  • Maximum password age - Ensures that passwords are cycled frequently enough to make cracking or guessing them harder. Recommended setting: between 30 and 90 ;
  • Minimum password age - Ensures that users cannot cycle through the password history and use a past password. Recommended setting: 2 ;
  • Minimum password length - Ensures that passwords have a minimum length to make them harder to crack. Recommended setting: 8;
  • Ensure that passwords have a certain minimum complexity. For example passwords should include at least three symbols from the four categories (upper-case, lower-case, numbers, non-alphanumeric symbols), it should not be a word that is easily associated with you such as your first or last name, and it should not be a word listed in the dictionary. Please note that passwords that meet these requirements are not necessarily strong. For instance, the password "Password1" meets these requirements.

Besides the system password policy. there should also be a company policy to provide end-user guidance regarding best practices such as:

  • passwords should not be shared;
  • passwords should not be displayed or written down;
  • passwords should not be given to another employee
  • do not set browsers to remember user credentials (ID and password).

Some tips on selecting passwords include:

  • using unrelated words, such as NUKARGO (New-Car-Go);
  • using special characters !, #, $, and @, such as $$TALKS2 (Money Talks Too);
  • creating a phrase, such as MHALL (Mary Had A Little Lamb).

Password controls alone will not protect unauthorized individuals from accessing your data. It is important to utilize appropriate data access controls on your server.

Data Access Controls

Data access controls are measures to prevent unauthorized access to files and data. For example, application configuration files should only be fully accessible to administrators while end-users may only need to have read and executed access rights. It is often easier to assign EVERYONE full access, which is in incorrect. File access levels should be administered appropriately for users or groups of users depending on what application is being invoked. Care should be taken to grant users access only to those functions that are necessary to perform their job responsibilities. Remember to:

  • restrict data access to authorized users;
  • classify data to appropriate levels of security;
  • close down accounts quickly after the termination or transfer of an employee;
  • not share accounts;
  • use "Guest" access sparingly.

Monitoring

Monitoring of access rights is also a very important aspect for both logical and physical controls. It is recommended that all user access privileges and group memberships are reviewed at least once every year in each application or system. Reviews should include everyone who uses the system, including users who are given special privileges. This should be documented, including personnel responsible for the review, and stored in a secure location. For those dealerships that use physical security systems for granting access to restricted areas such as the server room, these access rights should be reviewed also to ensure that they are in compliance with job changes and employee turnover.

As part of the monitoring function it is also important to perform a risk assessment periodically in order to identify the risk associated with each critical IT asset. This risk assessment should identify potential threats, the source and type of the threat, the likelihood of the threat occurring and the controls that are in place to mitigate the risk. This assessment can be captured in a matrix similar to the one shown below in figure 1. Dealers should seek professional assistance to perform an independent risk assessment of its IT assets.

Figure 1

Conclusion

Access controls are only one area of overall general computer controls, but it has the greatest impact on safeguarding customer information as is required by the Gramm-Leach-Bliley Act and the ID Theft Red Flag Rules Act. It is also probably the most neglected area for the following reasons:

  • often persons in management positions are resistant to strong password practices because it "slows them down;"
  • the dealership may depend on its vendors to set the level of data access controls without questioning or ensuring compliance with company policies;
  • policies do not exist to establish a baseline against which to measure compliance;
  • flexibility is given greater preference over security - a balance is preferred.

Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for dealerships. It's now a legal requirement, and recent cases demonstrate that lack of compliance can be very costly. As a result, we encourage you to take steps to ensure that access control follows a formal procedure and that it meets or exceeds industry best practices.

(Trevor Foo, CISA, CISM, is a senior manager in the Technology Consulting Department at Morrison, Brown, Argiz & Farra, LLC. If you would like a complimentary initial consultation or wish to discuss the general operations of your dealership, please contact Trevor at tfoo@mbafcpa.com or 1-800-239-1474. MBAF is home to one of the country’s largest auto dealership practices, and is independently ranked as the largest Florida-based public accounting and consulting firm in the state. For fifteen years, the firm has been consistently ranked Best of the Best as one of the top 25 performing firms in the country. For more information, visit www.mbafcpa.com

Printed with the permission of Professional Auto News