Don’t let your technology cause you an $11,000 a day fine! There are four things that you must do regarding technology to protect your dealership against a violation of the safeguards rule: The Big Four
1. Take a risk assessment of your technology. Walk around the dealership–are there computer terminals left logged on? Have you adjusted your DMS system to automatically log off terminals or set up Windows screen savers with passwords?
2. Train your employees on how to handle viruses and have access to their computers such as passwords and the ability to log off.
3. Access your firewall and security if you have a LAN.
4. Get a security statement from all who have access to your electronic customer database; CRM, leasing, special finance software providers and follow-up companies. In the next section we tell you how to find out everyone who has access to your DMS system.

Protecting Your DMS System

The first line of defense involves protecting against employee and customer access to data.

User ID’s and passwords should be maintained by the local system administrator. All users must have their own, unique user ID and password. Use of generic IDs cannot be permitted. Application and security authority should be limited to only the system administrator and its substitute.

This month’s DMS workshop tells you how to generate a report from your computer system that will reveal which employee has access to which computer functions and features. Run the reports, focus on areas such as vehicle deal details, credit report databases and other history files that contain social security numbers, credit card and bank account numbers, as well as names, addresses and phone numbers.

For ADP users from the MAINT account select SECURITY MAINTENANCE MENU. Select UPDATE USER PROFILES. From the list of users select all (*) or individual users with the enter key. Once users are selected choose print and then “All User Information, User connection Information Only or User Account and Menu Access Only.” Please note this report can be quite lengthy. I recommend downloading the report to Excel for easer management.

Submitted by Jim Skeans, Jim Skeans Consulting Group LLC

For EDS Users from the DMS@NET main menu select System Administration then select option called Security. Review your users from this menu and change as required. Make sure only required personnel have the designation of ‘Security Officer.’ Consider if user needs access to all companies. If in doubt, limit to the store in which the user works. Review application access, sales, inventory, parts, service, etc. If an employee moves to a different department, remove access from other parts of the application. It is common to see an employee that has worked in many departments has access to many parts of the system they should not. Lastly, remove old IDs when an employee has left the organization.

Submitted by Dena Johnson.

For R+R Users from the System Director Main Menu (6000) select option three User Security Menu (6200). Choose option two Display/Print User Security (6220). Select the “Long Listing” option for full detail down to the feature level or start with the easer to work with “Detail Short Listing” for a smaller more application level listing of user access.

Submitted by Jim Skeans, Jim Skeans Consulting Group LLC

For UCS Users with the UCS system, you can use Program 197-20 to request customized security reports. These reports can be in full detail, summary or one-line formats. A number of powerful select options enable you to tailor the report to your particular needs. You can include or exclude information based on program numbers or a range of program numbers, departments, employee initials, expired or changed userIDs and access certain printed reports. You may also run reports that display “program security patterns.”

Program security patterns limit the functions employees can perform in specific programs based on their user IDs. For example, in service dispatching, you can set up technicians to be able to look at their assigned jobs only. They would not be allowed to change or delete jobs assigned to them.

Submitted by Landis Martin