Skip to content

Security and Compliance

Introduction

CUDL understands that the security of its client and consumer data is critical both to the success of CUDL and its customers. As such, data security is important to CUDL and is part of everything we do, including product design, software development, customer support, and system administration. The overall information security program at CUDL is built upon:
  • Industry best practices
  • Compliance with laws and regulations
  • Contractual requirements

Additionally, the CUDL information security program is based on a “three lines of defense” model, whereby responsibility for information assurance is shared at multiple levels:

First line – end users represent the first line of defense in our strategy. As such, CUDL emphasizes security awareness training for both standard and administrative users. Additionally, security is made part of the software development lifecycle through secure coding training, established security guidelines, and additional code review. End users are responsible for abiding by established security policies, using the information systems in a manner that promotes security, and relaying risks and concerns to management. Second line – management represents the second line of defense. CUDL management is responsible for reviewing both the CUDL environment, evaluating the risks to the environment, and developing sound policies to help secure the environment. Third line – auditors represent the third line of defense. Both the internal audit function and external auditors help identify new and emerging risks, as well as ensuring that established processes are followed.

Industry best practices

CUDL has designed its security controls on industry standards and best practices. Such standards include the NIST Cyber Security Framework, NIST 800-53, and those described by the Center for Internet Security. By aligning the information security program to these standards, we believe that the program can deliver security throughout the data lifecycle today and continue to deliver security as technology evolves. Standard control areas include:
  • Asset management
  • Vulnerability management
  • Access control
  • Configuration management
  • Event log management
  • Malware defense
  • Boundary defense
  • Data backup
  • Data encryption
  • Business continuity / disaster recovery
  • Incident response

Key elements of this best practice security program include:

  • 24 x 7 security monitoring
  • Intrusion detection technologies, both at the network and host levels
  • Anti-malware detection and prevention
  • Site redundancy
  • File integrity monitoring
  • Central logging of key security events

Compliance with laws and regulation

Local, State, and Federal law CUDL understands that it exists in a complex world of laws and regulations. CUDL is committed to ensuring its security practices are in line with local, state, and federal laws. Policies and procedures have been established to address common requirements, such as:
  • Gramm-Leach Bliley Act (GLBA)
  • California SB 1386
  • Americans with Disabilities Act (ADA)
  • California Online Privacy Protection Act (CalOPPA)
  • Red Flags (as described in FACTA)
  • Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

 Other regulatory and compliance requirements

Beyond legislative requirements, CUDL has conformed to several key regulatory requirements, largely those impacting the financial sector. CUDL believes that adopting practices that adhere to industry regulations and compliance initiatives helps ensure data security and privacy, as well as foster consumer and client confidence in CUDL. CUDL adheres to the following compliance frameworks:
  • AICPA SOC II Type II
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Experian’s Independent 3rd Party Assessment

Contractual requirements

CUDL may from time to time make other contractual commitments to one, several, or many clients. Additionally, CUDL requests that clients and vendors build security programs that meet minimal requirements to protect the information of our clients and their customers. While the specific content and basis of such information security programs is within those entities’ control, CUDL requires that the programs meet or exceed the control requirements detailed in the NIST Cybersecurity Framework. Disaster recovery CUDL maintains a rigorous disaster recovery plan for key services. Such disaster recovery is tested no less than annually to ensure viability of the plan. Maintenance windows CUDL reserves the right to have a maintenance window from 10 PM Pacific to 5 AM Pacific time on the third Saturday of the month. This maintenance window is to allow for preventive maintenance to critical and ancillary systems. During this maintenance window, all public facing systems may be unavailable.
X
 
 

Say “Hello” to the new CUDL Brand

For more than 25 years, the CUDL brand has been a driving force in helping dealerships close more deals. And now, we’re excited to share the NEW CUDL brand— rooted in a customer-first philosophy. Head to our website now to experience the new look…

Continue to CUDL

Keep me on CUDirect.com