skip to the main content area of this page
 
Certification Programs

Want to Know More?

Frequently Asked Questions

 

Online Application

More About our Data Security Guidelines

Read OSA's Automotive Retail Data Security Guidelines

You'll need the Adobe Reader product to read and print Data Security Guidelines. You can download Adobe Reader for free from Adobe's web site.

Adobe Reader

OSA Data Security Certification tells your clients and the market that your company cares about data security. This is an independent approach, based on industry input and experience from other markets, such as financial services and healthcare.

To support the rollout and ongoing implementation of OSA's Automotive Retail Data Security Guidelines (ARDSG), OSA provides a set of Data Security Certification Programs. These Certification Programs inspect and verify an organization's compliance with ARDSG. Companies completing a program and found to be in 100% compliance with the Guidelines are awarded an OSA Data Security Certification. As a result, dealers and other third parties can place higher confidence on these organization's security protocols and procedures.

OSA developed the Certification Programs in concert with its Guidelines to address the important and growing need for automotive dealerships and their third party software and services providers to build and maintain secure data environments. Strong Federal and state regulations place increasing responsibility on dealerships and providers to take reasonable steps to ensure the security of sensitive consumer information. Dealers collect and manage more consumer information than most retailers and many financial institutions. The security burden on dealerships is high - and impacts third parties serving those dealerships, too.

OSA's ARDSG were developed with input from industry experts and participants, and are built on broad-based standards and procedures. These Guidelines are an independent approach to establishing expectations for provider within this space.

OSA developed its Certification Programs to support our Guidelines and create a rigorous self-validated or audited review of compliance with the Guidelines.

OSA's Certification Programs were developed with TruArx, a company with outstanding technical resources and certification experience in similarly complex and data-rich environments, such as financial and healthcare services. Among a large list of advantages, TruArx offers a secure on-line tool, TruView, that assists OSA's clients in evaluating and inspecting their data security processes and procedures. TruView, which is included in all of our Certification Program options, provides both base level assessment and ongoing improvement tracking, and is supported by TruArx's expertise, experience and technical know-how.

To meet a broad range of needs, OSA offers three distinct Certification Programs. All three Programs rely on the same ARDSG, use the same information and process review tool, and require 100% compliance to achieve OSA Data Security Certification.

  • For companies that work primarily with less-sensitive data (e.g., historic inventory and descriptions), OSA recommends a Self Assessment. In this program implementation, a company performs all data collection and uses TruView to complete the self-assessment, track any mitigation tasks and report on compliance. OSA reviews the reports to confirm 100% compliance, and provides a Self-Validated Certification.
  • For larger companies and those accessing and managing consumer and other sensitive data, OSA recommends a Validated approach. After initial set-up and provisioning by TruArx, a company performs its own data collection and assessment. The TruView tool provides the foundation for the data gathering and any necessary mitigation work. After completion of the assessment and confirmation of compliance, TruArx performs an on-site validation to sample processes and procedures, and provide an even stronger, independent assessment. OSA reviews the results and TruArx's report to confirm the results, and provides a Validated Certification.
  • And, for companies that lack the staff and resources to complete the necessary steps, we offer a Validated Plus approach. The process is the same as outlined in the Validated approach. TruArx and OSA provide data collection and assessment services (vs. in-house completion in the Validated sand Self Assessment programs). 100% compliance with ARDSG is still required to receive a Validated Certification.

OSA Certifications are valid for 1 year. Then, recertification occurs. We anticipate annual consensus-driven updates to ARDSG, and there is generally enough change within one year to merit annual complete reviews. This yearly cycle allows dealership and other third parties to retain confidence that the security protocols are current, and reviewed regularly.

Our pricing approach for the Certification Programs is straightforward, and includes all the services we expect will be necessary to complete the program. All programs include access to and setup for TruView, and utilization of that tool for 1 year. Timing of the process is self-managed until the time Certification is requested. Then, a company has 90 days in which to complete any necessary mitigation steps (areas where compliance against ADRSG falls below 100%).