Controls & Evidence
FTC Safeguards Rule readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program, with sufficient authority, resources, and documented qualifications.
Requirements
- Designate a single qualified individual to oversee the information security program (§ 314.4(a))
- Qualified individual may be an employee or outsourced service provider
- Deliver a written report to the board of directors or governing body at least annually
- Ensure sufficient authority and resources to implement the safeguards program
- Document qualifications, experience, and ongoing training of the designated individual
Evidence Examples
| Artifact | Owner | Frequency |
| Qualified individual appointment letter with defined scope of authority and reporting line | CISO | Annually |
| Annual board report covering overall security program status, risk assessment results, and material incidents | CISO | Annually |
| Organizational chart showing the qualified individual's reporting line and authority over information security | HR | Annually |
| Qualifications record including certifications, training history, and relevant experience | CISO | Annually |
Conduct a written risk assessment that identifies reasonably foreseeable threats to customer information, evaluates the sufficiency of existing safeguards, and drives remediation of identified gaps.
Requirements
- Maintain a written risk assessment documenting identified threats and vulnerabilities (§ 314.4(b))
- Establish criteria for evaluating and categorizing threats, vulnerabilities, and countermeasures
- Cover all systems, networks, and processes that store, transmit, or process customer information
- Reassess periodically and whenever material changes occur to operations or threat landscape
Evidence Examples
| Artifact | Owner | Frequency |
| Written risk assessment document with threat identification, likelihood ratings, and impact analysis | CISO | Annually |
| Threat and vulnerability register with severity rankings and mapped countermeasures | Security Lead | Quarterly |
| Remediation tracker showing identified gaps, assigned owners, target dates, and closure status | Compliance Officer | Quarterly |
Implement technical and administrative safeguards to restrict access to customer information systems based on least-privilege principles, with documented review and approval processes.
Requirements
- Implement technical and administrative access restrictions on customer information systems (§ 314.4(c)(1))
- Apply the least-privilege principle — users receive only the access necessary for their job function
- Establish privileged access management with enhanced controls for administrative accounts
- Conduct periodic access reviews to verify appropriateness and revoke unnecessary access
Evidence Examples
| Artifact | Owner | Frequency |
| Access control matrix mapping roles to permitted systems, data classifications, and privilege levels | IT Admin | Quarterly |
| Privileged access review logs showing administrative account justification and recertification | Security Lead | Quarterly |
| Access request and approval records with business justification and manager sign-off | IT Admin | Per request |
| User access deprovisioning records for terminated employees and role changes | HR | Per event |
Maintain a complete inventory of all systems and locations where customer information is stored, processed, or transmitted, with a classification scheme that drives proportionate safeguards.
Requirements
- Maintain an inventory of all systems, applications, and locations that store, process, or transmit customer information (§ 314.4(c)(2))
- Implement a data classification scheme that categorizes customer information by sensitivity
- Document data flows showing how customer information moves between systems, vendors, and storage
- Identify all storage locations including cloud services, backups, and employee devices
Evidence Examples
| Artifact | Owner | Frequency |
| Data inventory spreadsheet listing all systems, data types, storage locations, and responsible owners | IT Admin | Quarterly |
| Data classification policy defining sensitivity tiers and corresponding handling requirements | Compliance Officer | Annually |
| Data flow diagrams showing customer information movement across systems, networks, and third parties | Security Lead | Annually |
Encrypt customer information in transit and at rest using industry-standard methods, with documented key management procedures and compensating controls where encryption is not feasible.
Requirements
- Encrypt customer information in transit over external networks (§ 314.4(c)(3))
- Encrypt customer information at rest on all storage systems
- Implement key management procedures covering generation, distribution, rotation, and revocation
- Document and justify alternative compensating controls where encryption is technically infeasible
Evidence Examples
| Artifact | Owner | Frequency |
| Encryption standards document specifying algorithms, key lengths, and approved protocols | Security Lead | Annually |
| Key management records including rotation schedules, custodian assignments, and revocation logs | IT Admin | Quarterly |
| TLS configuration audit reports verifying cipher suites, certificate validity, and protocol versions | Security Lead | Quarterly |
Implement secure development practices for in-house applications that handle customer information, including security testing, code review, and vulnerability remediation before deployment.
Requirements
- Establish secure development practices for all in-house applications handling customer information (§ 314.4(c)(4))
- Conduct security testing — including vulnerability scanning and penetration testing — before deployment
- Implement code review processes that include security-focused review criteria
- Remediate identified vulnerabilities in custom software within defined timelines
Evidence Examples
| Artifact | Owner | Frequency |
| Secure development lifecycle (SDLC) policy defining security gates, review requirements, and testing mandates | Development Lead | Annually |
| Security test results including vulnerability scan and penetration test reports for customer-facing applications | Security Lead | Per release |
| Code review records showing security-focused review completion and findings remediation | Development Lead | Per release |
Require multi-factor authentication for all individuals accessing customer information systems, with documented exceptions and compensating controls where MFA cannot be implemented.
Requirements
- Require MFA for all users accessing any information system containing customer information (§ 314.4(c)(5))
- Require MFA for all remote access to the institution's network and systems
- Document any exceptions to the MFA requirement with justified compensating controls
Evidence Examples
| Artifact | Owner | Frequency |
| MFA enrollment reports showing coverage percentage across all customer information systems | IT Admin | Quarterly |
| MFA exception register with business justification and approved compensating controls | Security Lead | Quarterly |
| Authentication configuration documentation showing MFA enforcement settings per system | IT Admin | Annually |
Implement secure disposal procedures for customer information that is no longer needed, using methods appropriate to the media type with documented verification and vendor oversight.
Requirements
- Securely dispose of customer information no longer necessary for business purposes or legal retention (§ 314.4(c)(6))
- Use disposal methods appropriate to the media type — shredding, degaussing, cryptographic erasure, or secure wiping
- Maintain disposal logs and certificates documenting what was destroyed, when, and by whom
- Verify disposal practices of vendors and service providers handling customer information
Evidence Examples
| Artifact | Owner | Frequency |
| Disposal policy defining retention periods, approved destruction methods, and authorization requirements | Compliance Officer | Annually |
| Destruction certificates and disposal logs with dates, media descriptions, and method used | IT Admin | Per event |
| Vendor disposal verification records confirming third-party destruction practices meet requirements | Compliance Officer | Annually |
Evaluate the security impact of changes to information systems handling customer data, with documented approval, rollback procedures, and post-change verification.
Requirements
- Evaluate the security impact of all changes to information systems that handle customer information (§ 314.4(c)(7))
- Implement a change approval process requiring security review before implementation
- Maintain rollback procedures for changes that introduce security regressions
- Conduct post-change verification to confirm security controls remain effective
Evidence Examples
| Artifact | Owner | Frequency |
| Change request logs with security impact assessment, approval signatures, and implementation dates | IT Admin | Per change |
| Security impact assessment templates completed for infrastructure, application, and configuration changes | Security Lead | Per change |
| Post-change verification records confirming that security controls function as expected after deployment | IT Admin | Per change |
Maintain a written incident response plan with defined roles, escalation procedures, FTC notification obligations for breaches affecting 500+ customers, and mandatory post-incident review.
Requirements
- Maintain a written incident response plan addressing detection, containment, eradication, and recovery (§ 314.4(h))
- Define roles, responsibilities, and escalation paths for security incident response
- Implement notification procedures including FTC notification when 500 or more customers are affected
- Conduct post-incident review to identify root causes and update safeguards accordingly
Evidence Examples
| Artifact | Owner | Frequency |
| Written incident response plan with detection procedures, containment steps, communication templates, and recovery checklists | CISO | Annually |
| Incident log recording all security events, severity classification, response actions, and resolution timestamps | Security Lead | Per incident |
| FTC notification records and customer breach notification documentation for qualifying incidents | Compliance Officer | Per incident |
| Post-incident review reports with root cause analysis, lessons learned, and remediation actions | CISO | Per incident |
Select and oversee service providers based on their ability to safeguard customer information, with contractual security requirements and periodic reassessment of vendor compliance.
Requirements
- Establish vendor selection criteria that include evaluation of the provider's security posture (§ 314.4(f))
- Include contractual provisions requiring service providers to implement appropriate safeguards for customer information
- Conduct periodic reassessment of service provider security practices and compliance
- Monitor service provider compliance with contractual security requirements on an ongoing basis
Evidence Examples
| Artifact | Owner | Frequency |
| Vendor risk assessment questionnaires and security evaluation reports for providers handling customer information | Compliance Officer | Per vendor onboarding |
| Contract excerpts showing security clauses, data handling requirements, incident notification obligations, and audit rights | Compliance Officer | Per contract |
| Vendor reassessment schedule and completed periodic review reports | Security Lead | Annually |
| Vendor compliance monitoring records including SOC reports, penetration test summaries, and corrective action tracking | Compliance Officer | Annually |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.