Home
Join

7 Replies

  • You find yourself in the unenviable position to be taken to the cleaners!

    You want to find a consultant who helps you make decisions but earns zero dollars on those decisions so they are completely impartial about those recommendations - i.e. making them because they are the right suggestions, not the ones that get them the most money in their pocket.

    This likely means you'll need to hire two groups of people - the consultants AND implementers.

    The reason for this is what I've already said - the consultants work for you - they have your best interest in mind.

    Implementers/MSPs/resellers - whatever you want to call them, they work for themselves.  Their job is to make their company the most money (wither they specifically mention say that or not).  This isn't a bad thing - it's just A thing.

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I say you're ripe to be taken to the cleaners because now that there is new regulations, every tom dick and harry will be coming at you to buy their package that gets you to compliance.  Your management is likely so unprepared (sounds like this kinda came out of nowhere) that they are, as you said, scrambling to get something done.

    Since you have so little time, some of those vendors know you won't know anything, won't have time to research, won't pay a knowledgeable person/firm, and they will sell you whatever they can get away with.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Dash is correct, no way to make it sound any better. We are Healthcare and been playing with HIPAA for a bit now, at first we used a consultant supplied by our Insurance Company. And like Dash said he was a consultant. Worked ok for a few years, then we decided to do it ourselves.  Now we are looking to go back to a Consultant, my eyes mainly two reasons. 

    One: I suggest something for security and they say too much hassle for users and no. A Consultant says the same thing and they ask me why have i not done that yesterday. 

    Two:  Checking your own work is well and good, but always better to have an impartial third party check your work. they see things you missed or dont want to admit. 

    Finding a new one would be nice, but running into too many Implementors with their own agenda rather then a true Consultant. 

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • GDaddy wrote:

    One: I suggest something for security and they say too much hassle for users and no. A Consultant says the same thing and they ask me why have i not done that yesterday. 

    Oh god yes!  which makes absolutely no sense!  They pay us for this job, yet they simply won't listen, but slap the title consultant on it - and suddenly there is weight behind it.
    Finding a new one would be nice, but running into too many Implementors with their own agenda rather then a true Consultant. 
    This is the key - you want someone who basically works for YOU, not themselves.  Anyone who sells you anything other than consulting can't help but be limited by what they are trying to sell you.
    Was this post helpful? thumb_up thumb_down
  • VikingMichael wrote:

    I am curious if there is anyone else here who finds their employer suddenly scrambling under the oncoming pressure of compliance with the FTC Safeguard RulesOpens a new window?
    • Why did this happen suddenly?
    • Since when got those auto dealers included which are categorized in the referenced definition?
    • Does your company want to continue doing these leasing contracts in the current manner or does it consider to outsource that business activity into a leasing company and collect commissions only?

    As far as I understood, auto dealers are usually not falling under such regulation. When I had to deal with auto dealers, they were not doing the leasing business themselves. They were only using cooperations with leasing companies, either of car manufacturers or of specialized banks. The forms and business decisions on the leasing contracts were not made by the auto dealers but by the leasing companies. The auto-dealers were using the forms of these leasing companies and forward contracts to the leasing companies for acceptance, similar to their services to forward insurance contracts with insurance companies.

    If your company considers outsourcing these leasing activities, it may consider to do some auxiliary services for the leasing company to get higher commissions. And implementing at least some of the mentioned controls for SME might not hurt neither. E.g. a risk management and a CRM are meaningful options nevertheless. They may not need to go into such detail as for compliance for leasing companies when leasing is no longer your business. A CRM makes sense e.g. for maintenance contracts or other service contracts. And with other service contracts, you might always want to check which constraints to respect so that these will not be considered insurance contracts.

    VikingMichael wrote:

    My employer has never had cyber security foremost in their list of day to day concerns (I do the best I can with what I'm given), but the decision that, as an auto dealer, we are now regulated like a financial institution, and we must be fully compliant by December 9, has my employer scrambling, which means the stuff is rolling downhill in my general direction.... 
    As far as I understood, auto dealers continue to not be considered a financial institution. The same applies for auto dealers offering short term (seasonal) leasing contracts, e.g. for RVs. The same applies for auto dealers having outsourced any long or medium term leasing contracts to leasing companies. Only those auto-dealers will be affected which are acting as leasing companies themselves as one of their business activities with leasing contracts of duration beyond 90 days.
    And if you company continues to do business as currently, and reorganizes its leasing activities in its own department, such compliance requirements will not be for the whole company but only for that department. But in that case, it will still apply to IT as far as IT for such a department is not sufficiently separate of the IT of the auto dealership.
    I'm not an US lawyer. But that's what I understood of those referenced regulations in a first quick read. In case of doubt, your company may want to get these options and their implications checked and confirmed by such a competent US lawyer.
    But as I wrote before, I'm used that auto dealers have outsourced leasing into cooperations with leasing companies, either of a car manufacturer if the auto dealer has a close cooperation with such a manufacturer, or with one of a specialized bank in case of independent small auto dealers.
    0 of 2 found this helpful thumb_up thumb_down
  • Thank you for your input, scheff1​, but nothing you suggested is helpful in this situation. The FTC changed their rules with a new law that was passed in January and goes into effect in December which has most auto dealerships being classified as financial institutions. Even if we completely removed leasing from our portfolio of services offered, which would cost us an insane amount of income, we would still fall under the new regulations. The article I linked in my original post details the changes, including why we are now regulated as if we were financial institutions. 

    Was this post helpful? thumb_up thumb_down
  • visibility_off Reply hidden by Spiceworks

    VikingMichael wrote:

    The article I linked in my original post details the changes, including why we are now regulated as if we were financial institutions. 

    I read that article but could only find the example on leasing to make auto dealers subject to such regulation for SME in regulated financial business domain, eventually also brokering of insurances.

    VikingMichael wrote:

    The FTC changed their rules with a new law that was passed in January and goes into effect in December which has most auto dealerships being classified as financial institutions.

    When law was passed in January, then transition time 'til December should be sufficient. I'm wondering what management has done in the meantime 'til now. And I did not understand where your company is currently standing as you used different terms than those mentioned by the regulation for SME in the referenced article. E.g. this regulation does not require a CISO nor a formal qualification, but requires a qualified individual to be nominated and in charge of those safeguard rules. If most parts of these activities get outsourced, then this nominated qualified individual has to be a senior manager, otherwise has to be reporting directly to senior management, at least in this function of these safeguard rules. Or did I misunderstand that linked article also in this aspect?

    VikingMichael wrote:

    My employer has never had cyber security foremost in their list of day to day concerns (I do the best I can with what I'm given),

    The linked article does not mention cyber security to be on the list of day to day concerns. It mentions instead an established risk management process and an established information security process, supervised by a qualified individual.

    If your company needed bank financing or insurance coverage of business risks, then you likely already have at least a risk management process and at least elements of an information security process. These helped you to pay lower interests for financing, get renewal of your financing resp. credit line, get discount on insurance bill.

    If you would not have any of risk management process and elements of information security process, time remaining might be very ambitious to become compliant.

    VikingMichael wrote:

    but the decision that, as an auto dealer, we are now regulated like a financial institution, and we must be fully compliant by December 9, has my employer scrambling, which means the stuff is rolling downhill in my general direction.... 
    • And which stuff is rolling downhill in your direction?
    • Is it the risk management?
    • Is it the information security?
    • Is it the role of qualified nominee for safeguard rules?

    VikingMichael wrote:

    We aren't big enough to have a CISO,

    As I mentioned, this is usually not required for regulated SME. It's an option, not a requirement.

    VikingMichael wrote:

    I'm not confident (or paid) enough to handle all of the compliance related tasks myself, especially with potential failures to comply penalized to the tune of $40k US each occurrence.
    • Does this mean that you'll be this qualified individual in charge of these safeguard rules, seeking external assistance?
    • If not, what will be your role and relation with this qualified individual?

    VikingMichael wrote:

    We're looking for as close to an all in one provider who can help with these tasks. 

    No. Either it's me or your company which is not understanding your referenced article.

    Your risk manager or your qualified individual want to do a risk assessment for these compliance requirements. An external consultant may help for such an assessment. You did not mention if risk manager and qualified individual are competent enough for such an assessment and might profit of external review by a competent consultant or if such a consultant is already needed for your company doing such an assessment. And it is the outcome of such risk assessment which will determine what is appropriate, e.g. if a single provider might address the requirements. I doubt so. I expect different service providers being helpful for different risks needing better addressing.

    That's how I understood your referenced article and the recommendations by other Spiceheads to seek a consultant, not for the compliance implementation but for assisting your company in getting risk management and information security in line with compliance, regardless which parts are outsourced and which parts are done by staff of your company.

    0 of 1 found this helpful thumb_up thumb_down

Read these next...

  • Simple command to monitor Windows 10 temperature?

    Simple command to monitor Windows 10 temperature?

    Hardware

    I feel like this has probably been address before, although I was wondering if someone is aware of a simple command I can run to report the internal temperature of a Windows 10 PC?I think all computers monitor the temperature, although I've only found thi...

  • Remote access to DVR?

    Remote access to DVR?

    Security

    Hi!I have an older Hikvision DVR that I need to provide remote access to. The users would be mainly accessing it from their smartphones. I tested their software, iVMS, by assigning one of my public IP's to the DVR and it worked fine. However the issue is ...

  • Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Snap! -- Survival Kits, Forest Bubble on Mars, AI Movie Plots, Leprosy & Livers

    Spiceworks Originals

    Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: Back on December 6, 1907, Mathematical Logician J. Barkley Rosser Born (Read more HERE.) Bonus Flashback: Back on December 6, 1998, International Space Station assemb...

  • Spark! Pro Series - 6 December 2022

    Spark! Pro Series - 6 December 2022

    Spiceworks Originals

    Today in History: 6 December 1240 – Mongols led by Batu Khan occupy and destroy Kyiv after an 8 day siege; out of 50,000 people in the city only 2,000 survive 1849 – Harriet Tubman escapes from slavery in Maryl...

  • The most boring but interesting Phishing Attempt I've seen

    The most boring but interesting Phishing Attempt I've seen

    Security

    Hello There,We've recently had a phishy email come through to one of our employees with an attachment to something work related. But here's the interesting part: The email was spoofed. When checked, the address was that of our own domain, however the emai...