All existing and new users will have password requirements & MFA instituted​

Credit app passwords will be obfuscated and reset to improved complexity requirements

LV Legal will approve implementation of requirements for compliance

Dealers will have communication to help them answer compliance inquiries.

Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.

1. If a user account that is currently disabled and has not been logged into for the last 90 days, that account will have their permissions removed so that the permissions would have to be intentfully applied if the user account is reinstated.

2. If a user account has not logged in for over 1 year, that account will be disabled and will have their permissions removed.

Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.

1. iCC system meets all the technical requirements from this rule through its data history tracking ability built in.

Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

1. We have obfuscated the credit app password within iCC from being easily seen by others that may be looking at the screen.

2. We also increased the password requirements for what needs to be used at a minimum when creating/updating a credit app password.

3. We also recommend that dealers set up their own password keeper to store their credit app password more securely and it allows them to share that password throughout their team members more securely as well.

Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.

1. MFA requires at least two authentication factors. iCC system has implemented

   1. a “Knowledge Factor” meaning a user has to enter in a username and password.

   2. "Possession Factor" meaning a user has to setup and use a QR Code Authenticator prior to a user gaining access into iCC

Passwords for CP​

• Will be tied to Identify Server (Guardian Web App or GWA, foundation for portal)​

• Accounts will be auto-disabled after xx days of no login (instead of current notification)​

• If accounts are disabled and stay not logged for an additional 3 months, permissions will be removed so that, if account is ever reinstated, permissions will need to be reviewed/properly assigned based on then-current needs​

• Additional password requirements will be applied and all users (internal/dealer) will need to change passwords to meet new requirements and/or we will have to change/communicate to them​

As the Ignite platform, we need to have additional security in place for password requirements.

HIGH

 Addition of 2FA for CP​

• 2-Factor Authentication will be required for CP users (may be optional for non-credit app users)​

 As the Ignite platform, we need to have additional security in place for password requirements.

 HIGH

Credit App Password updates​

• Credit App passwords will have new password requirements applied and all dealer credit app passwords will need to be changed to meet new requirements​

• All credit app passwords will be obfuscated in CMS field(s) and will require a 2nd authorization to view​

• NOTE:  Working with LeadVenture Enterprise toward getting rid of all internal credit apps – timing TBD – so that we can get out of this completely​

HIGH

Encryption​

• All will be verified that credit app info at rest and in transit encryption in place meets requirements​

HIGH

Brute Force Attacks​

• All will be verified that brute force attack prevention tools in place meet requirements

HIGH

Ops steps​

• Legal final review/signoff & "standard" response​

• Legal final review/signoff for all "special" responses requested – REMINDER, add task, tag Compliance project​

• Dealer & team member communications

HIGH