Free Resource

FTC SAFEGUARDS READINESS CHECKLIST

Use this checklist to assess your organization against core FTC Safeguards Rule program requirements. It is built for GLBA-covered businesses such as automotive dealerships, tax preparation firms, and financial service providers handling customer information.

How to use this checklist

  • Mark each item as Implemented, In Progress, or Not Started.
  • Assign an owner and target date to every gap.
  • Retain evidence for each completed control to support audits and underwriting reviews.
  1. 1

    Designate a Qualified Individual

    16 CFR 314.4(a)

    Readiness checks

    • Assign a named Qualified Individual responsible for the information security program.
    • Define authority, accountability, and reporting lines in writing.
    • Document succession coverage when the primary owner is unavailable.

    Evidence to retain

    • Role charter or job description.
    • Security governance chart showing ownership.
    • Executive communication naming the program owner.
  2. 2

    Perform and Maintain a Written Risk Assessment

    16 CFR 314.4(b)

    Readiness checks

    • Identify foreseeable internal and external risks to customer information.
    • Evaluate confidentiality, integrity, and availability impacts for each risk.
    • Define acceptance criteria and remediation timelines.

    Evidence to retain

    • Current written risk assessment.
    • Risk register with owners and due dates.
    • Assessment update history with review dates.
  3. 3

    Implement Access Controls

    16 CFR 314.4(c)(1)

    Readiness checks

    • Enforce least privilege by role and business need.
    • Review user access regularly and after role changes.
    • Disable dormant and terminated accounts promptly.

    Evidence to retain

    • Access control policy and role matrix.
    • Quarterly access review records.
    • Account disablement logs or tickets.
  4. 4

    Protect Data Through Encryption

    16 CFR 314.4(c)(3)

    Readiness checks

    • Encrypt customer information in transit and at rest where feasible.
    • Document compensating controls where encryption is infeasible.
    • Manage keys with defined ownership and rotation expectations.

    Evidence to retain

    • System encryption settings and standards.
    • Compensating control documentation where needed.
    • Key management procedures.
  5. 5

    Adopt Secure Development and Change Management Practices

    16 CFR 314.4(c)(2), 314.4(c)(8)

    Readiness checks

    • Use secure configuration baselines for new systems.
    • Review code and infrastructure changes for security impact.
    • Track and remediate vulnerabilities based on risk.

    Evidence to retain

    • Change management policy and workflows.
    • Baseline standards (endpoints, servers, cloud).
    • Patch and vulnerability remediation reports.
  6. 6

    Use Multi-Factor Authentication

    16 CFR 314.4(c)(5)

    Readiness checks

    • Require MFA for systems that process or access customer information.
    • Apply stronger controls for privileged and remote access.
    • Document any approved exceptions with expiration dates.

    Evidence to retain

    • Identity provider MFA policy screenshots or exports.
    • Exception register and approvals.
    • Privileged access control standards.
  7. 7

    Train Security Personnel and Relevant Staff

    16 CFR 314.4(e)

    Readiness checks

    • Provide recurring role-based security training.
    • Include phishing awareness and incident reporting procedures.
    • Measure completion and reinforce gaps with follow-up training.

    Evidence to retain

    • Training curriculum and annual schedule.
    • Completion reports and attestations.
    • Awareness testing outcomes.
  8. 8

    Monitor, Log, and Test Safeguards

    16 CFR 314.4(d)

    Readiness checks

    • Log security-relevant events and review them consistently.
    • Conduct periodic vulnerability assessments and penetration testing as applicable.
    • Track findings to closure with ownership.

    Evidence to retain

    • SIEM or logging review procedures.
    • Vulnerability scan and penetration test reports.
    • Remediation tracking artifacts.
  9. 9

    Oversee Service Providers

    16 CFR 314.4(f)

    Readiness checks

    • Evaluate vendors before they handle customer information.
    • Require contractual security obligations and incident notification terms.
    • Reassess critical providers periodically.

    Evidence to retain

    • Vendor due diligence checklist.
    • Security addendum or DPA language.
    • Periodic vendor reassessment records.
  10. 10

    Maintain Incident Response and Program Oversight

    16 CFR 314.4(h), 314.4(i)

    Readiness checks

    • Keep a written incident response plan with clear roles and workflows.
    • Evaluate and adjust safeguards based on business, threat, and operational changes.
    • If required, provide annual Qualified Individual reports to leadership/board.

    Evidence to retain

    • Incident response plan and tabletop results.
    • Program review meeting notes and action items.
    • Annual report package for leadership oversight.

Need help closing gaps?

Prometheus can help you prioritize remediation, document safeguards, and build an execution plan aligned to FTC requirements and practical business constraints.

Request a consultation