Two regional auto parts companies merged to increase their competitiveness with national chains. But they almost immediately ran into an unexpected network monitoring problem. The IT manager tasked with consolidating the two companies’ network infrastructures found that neither company’s network monitoring products had Layer 2 and Layer 3 discovery capabilities. This would give them enough detail to determine what devices to keep and which to upgrade and force them to spend more than they had budgeted for the project.

network monitoringThe only answer was to be a lot more selective about purchasing new gear. But his existing Layer 2 discovery software was no help. It didn’t gather enough detail on existing gear and utilization levels. This could help him decide what to keep and what to toss. He couldn’t afford to travel offsite to gather the additional information. Could Ipswitch help, he asked?

“Based on what you told me, you won’t need to travel anywhere,” the Ipswitch sales engineer said. Ipswitch WhatsUp Gold network monitoring software, combined with a WhatsConnected network mapping and topology software plugin, would give him the additional information he needed without having to leave his office.

It offers:

  • Full integration of automated Layer 2 and Layer 3 topology discovery and visualization
  • Rich mapping
  • Automated discovery of full port-to-port connectivity on networks of all sizes, regardless of location

Skeptical, the manager downloaded a trial copy of WhatsUp Gold network monitoring software and the WhatsConnected plugin suggested by the Ipswitch sales engineer. A few days later, he conducted a successful test audit of his data center’s network. With complete with Layer 2 and Layer 3 details on every network device in hand, he bought the products. Ipswitch had also uncovered underused resources he could reconfigure for higher efficiency. Based on these results, he was sure he could find similar savings throughout the various sites slated for modernization.

Not long after, the manager reported to us that his staff completed the upgrade successfully and on budget. They had been able to recycle and repurpose a good amount of their network inventory. This helped them pay for new routers, switches and firewalls needed for the combined networks to operate under a single WhatsUp Gold user interface.

As a nice side benefit, they were able to reduce the cost of network monitoring over the combined network by 35%.

 

mobile file transferAs mobile computing becomes ubiquitous, employees in all types of industries are enjoying the ability to access, share and update information – and be involved in processes even when they’re not in the office. But while mobility is a wonderful thing, it’s not enough on its own – especially for organizations in highly regulated industries. Such organizations need to make sure information and business processes are not just handled efficiently, but also securely. That’s where managed file transfer (MFT) comes in – it does more than help transfer files that are integral to daily processes; it keeps those files secure and makes it easier to integrate them into business processes. Here we share a few examples of how mobile compliance works in various industries.

Insurance: Initiating Claim Processes from Accident Sites
insurance-iconInsurance adjustors have had to manage much of their daily workload from the field for years. It’s undeniable that mobile devices have streamlined some of the tasks associated with conducting insurance appraisals remotely. But they still don’t address the need to secure the sensitive information being transmitted. In the past, adjustors would need to either wait until returning to the office to securely access internal systems, use a complex FTP client from a remote desktop, or mail documentation as part of a paper-based process.

With today’s MFT solutions, adjustors can securely transfer documents and images from their tablets. That means they can initiate the automated insurance claim review process while still at accident sites, getting their jobs done more quickly and efficiently.

Healthcare: Enabling Collaborative Patient Care
healthcare-iconIn rural and underdeveloped areas, physicians will often treat patients without access to a well-staffed medical facility featuring the latest medicines and diagnostic tools. Mobile devices such as cell phones make it possible to take and send pictures related to a patient case so doctors can get input from other physicians. But these images – and any associated information – comprise protected health information under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. And cell phones on their own don’t keep this information secure.

With MFT, a doctor can take a picture of a patient’s infection with her cell phone and send it securely as part of a patient record update process. Because MFT carries through the process, the medical records department is alerted to the availability of the picture, adds text information like the medical record number, uploads it to the patient record, and sends the picture to the practice management system. The pictures are made available to assisting specialists within the practice and instantly offer important context for collaborative treatment not previously possible. And because of MFT, the entire process satisfies HIPAA and HITECH requirements.

Finance: Freed to Securely Conduct Business from Anywhere
finance-iconIt’s a given that executives and managers in financial services companies need secure access to critical financial and portfolio information. But in the not-so-distant past, they were chained to their desks or forced to put sensitive information at risk using unsecured systems. Now with ready access to mobile devices, these employees are freed to conduct business whether they are at a client location, on a business trip, or even on the way home from work. But protection of sensitive financial information is still a concern.

The right MFT solution allows executives and managers to view sensitive financial documents and reports remotely without storing any unencrypted files on their devices. They can even automatically generate and securely transfer financial reports to appropriate executives. And if the files are not accessed within a pre-determined timeframe, they are automatically deleted, or can be automatically deleted after a pre-set number of views.

Streamline Processes While Ensuring Compliance
With the right MFT solution in place, those in insurance, healthcare, and finance can rest easy knowing they can enforce governance when it comes to the transfer of sensitive information. That’s because a robust MFT solution ensures sensitive information is protected during transfer, that only approved users can access sensitive data, and that the organization can understand at a glance any activity associated with the movement of sensitive files.

In my next post, I’ll show how MFT helps streamline and secure daily processes for those working remotely in non-regulated industries.

checklist complianceIn my last post, I covered common regulations, who is affected, and what is required from a file transfer standpoint to satisfy them. In this post, I explain three steps your organization can take to make sure your file transfers satisfy regulatory requirements.

  1. Characterize the types of file transfers your firm does as part of its day-to-day business.
    Most firms are dependent on file transfers to get work done. For example, healthcare organizations send patient billing information to Medicare, financial firms confirm equity trades, and airlines schedule delivery of on-board food with their vendors. The first two require by law secure file transactions and an audit log of activities. While the third file transfer isn’t impacted by any regulation, best practice is to secure the information being exchanged.
  2. Craft policies and procedures to ensure your file transfer activities are in compliance.
    Lay out your workflows, focusing on the data and file transfers identified in step one above. Where is your data at risk? When undertaking your planning, addressing and defending against both internal and external threats is a critical part of the process. Hackers make the news but rogue employees can potentially cause damage over extended time frames and across your firm’s entire operations.
  3. Educate your people on the why’s and how’s of the policies and procedures.
    Many companies fall short on the operational execution of regulatory compliance. A significant cause of failure is poor communication. People respect policies when they understand their purpose and what they are defending against and the consequences of failure. For example, companies with dual-use technology, governed by ITAR, can lose their ability to export or do business if their products are sold to restricted countries. Imagine the impact to your organization if you lost 100% of your non-US revenue. Moreover, responsible individuals could go to jail. Other impacts are monetary fines of thousands of dollars. Or consider if a retailer exposes its customer credit information. The real impact is not the financial penalty. The potentially devastating impact is the loss of existing and future customers who lose trust in the firm’s brand and reputation.

In addition to spelling out the potential consequences of non-compliance, reinforce the use of existing file-transfer workflows, assuming you have designed these with compliance in mind.

Ensuring compliant file transfers
By taking these three practical steps, you can minimize the likelihood that your company’s file transfers will put the organization at risk of non-compliance with both internal policies and external requirements.

In addition, you can take advantage of Managed File Transfer (MFT) to more easily address compliance issues around a variety of regulations. MFT helps ensure sensitive information is protected during transfer. Leading MFT solutions also enable robust user access control. The user access control ensures only those who should ‘see’ sensitive data are able to. Plus, such solutions keep a journal of activities and historic audit logs. Together these features enable firms to meet their compliance needs by demonstrating governance around who has access to private data (e.g., credit card information) and demonstrate who accesses what and when.

We welcome any other suggestions for ensuring compliance when it comes to file transfers. Share your thoughts in the comments!

RuleBookStackResizeIncreasingly, organizations need to comply with one or more regulations. If you are in this situation, you can satisfy auditors or regulators by proactively establishing measurable and repeatable policies and procedures to ensure effective access control. In my last post, I outlined three steps to achieve effective access control. Here I will cover common regulations, who is affected, and common file transfer security requirements.

Healthcare Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HIPPA-HITECH)

  • Who: Any organization – including hospitals, clinics, insurance brokers, and physician practices – that transmits or maintains health information.
  • Requirements: Organizations and their business associates must ensure that all file transfer containing personal health information is secured and that the sender and recipients are properly verified.

Sarbanes-Oxley (SOX)

  • Who: Companies that are publicly registered on US stock exchanges (e.g., NYSE, NASDAQ). Holds executives personal accountable for violations. Increased penalties for corporations with >$75 million in market capitalization.
  • Requirements: All companies must establish ‘internal controls’ on financial information and obtain an auditor’s opinion on management’s assessment. Encryption of financial information during file transfer is required to ensure data integrity.

J-SOX

  • Who: Companies that are publicly registered on Japanese stock exchanges.
  • Requirements: Management must provide an assessment of its internal control over its financial reporting and obtain an auditor’s opinion on management’s assessment. . Encryption of financial information during file transfer is required to ensure data integrity.

BASEL-II & BASEL-III

  • Who: Banks, insurance firms, and other financial institutions. Sets international standards for banking regulators to control how much capital banks need to put aside to guard against financial and operational risks.
  • Requirements: Firms must protect their IT networks and associated data as part of reducing operational risk. This includes safeguarding data (such as through encryption), file transfers, and operator interaction, to name a few.

Personal Credit Information – Data Security Standard (PCI-DSS)

  • Who: PCI DSS applies to all entities involved in payment card processing (e.g., credit, debit, prepaid cards, etc.) – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
  • Requirements: Secure storage and transmission of cardholder data against unauthorized disclosure, protection again malware, and other threats to the integrity of the cardholder data.

International Trade in Arms Regulation (ITAR) & Export Administration Regulations (EAR)

  • Who: US-based companies whose products fall under either the ITAR’s United States Munitions List (USML) of restricted articles and services or EAR’s Commerce Control List (CCL) of regulated commercial items, including those items that are so-called ‘dual-use’ or have both commercial and military applications.
  • Requirements: Establish protocols to prevent the disclosure or transfer of sensitive information to a foreign national.

The Data Protection Act of 1998

  • Who: Organizations or individuals based in the United Kingdom (UK).
  • Requirements: Organizations must establish policies and procedures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage, of personal data.

In my next post, I’ll cover three steps your organization can take to further address your compliance requirements, so check back soon!

 

A facilities manager at a global real estate firm called recently. He was literally hot under the collar. Company headquarters on the U.S. West coast had been fitted two years earlier with a new HVAC system. It was designed to showcase the firm’s commitment to environmental efficiency. A month before we heard from him, temperatures at HQ started to unexpectedly spike up to the high 80s. And just as quickly subside. More than a few hot heads began to complain.

heatmiser
Heat Miser

The contractor who installed the system checked every device but couldn’t find the problem. The facilities manager told us, “Every time the heat kicked in, I tried to monitor network bandwidth on the HVAC controls network for anomalies. But the temperature would return to normal before I could find any latency with network requests.”

He knew that tracking network bandwidth levels would lead to the source of the problem. But he couldn’t find a product that would do that job until he learned about WhatsUp Gold Flow Monitor from Ipswitch. The network bandwidth monitor measures data from multiple devices and ports that can be grouped together by type. It can then report and create alerts when traffic bottlenecks threatened to take a hit on performance.

Ipswitch Flow Monitor supports common network bandwidth management formats and protocols including NetFlow, sFlow, J-Flow, IPFIX and NSEL. The network bandwidth monitor software can manage application performance and oversee network traffic prioritization policies. It ultimately saves money by minimizing wasted bandwidth.

The facilities manager had Flow Monitor installed by his IT team. They configured thresholds to track the volume of traffic between:

  • Network interfaces
  • Conversation pairs
  • Failed connections per host
  • Top senders/receivers
flow monitor
Ipswitch Flow Monitor

He found the device causing the problem using the product’s unified dashboard. The device was immediately replaced.

The heat miser was banished.

nhbc_logoNHBC is the National House Building Council, a building standards and insurance warranty provider in the United Kingdom. By implementing a Managed File Transfer (MFT) solution, NHBC is able to effectively ensure a constant flow of secure, confidential, copyright and personal documents and communications – a necessity in the heavily regulated insurance and building sectors. We spoke with Wayne Watson, information security manager for NHBC, to find out why MFT is critical to satisfying internal standards and external regulations.

Q. What issues was your organization facing?

We faced a regulatory challenge. We conduct our own internal audit, and are audited every year by the Financial Conduct Authority (FCA), which has very stringent guidelines regarding the transfer and management of sensitive data. Our challenge is proving to the FCA auditors the types of files and data that are leaving the company. If you don’t comply with the FCA – such as by losing or exposing someone’s financial information – you can get hit by a fine of 250,000 pounds. Plus it would damage our reputation, which we’ve built over 75 years, and people could turn to our competitors. Moreover, we need to comply with the Data Protection Act.

The threat is external because everyone who deals with us tends to want to use their solution, such as DropBox. The risk of having data leakage through sites like DropBox is just to great for a company like ours.

Q. What impact were these issues having on your business?

I would get lots of requests to download from sites like DropBox. For example, someone would say, “I need to download this file from this location,” and I would say “We’ll set up a folder so the person can upload to our site.” We need to get our users to educate the people that they work with from third-party companies to do things a bit differently, and that’s where the problem lies.

To send files, our staff was resorting to clunky measures, like encrypting and sharing files via SD cards, USB drives, CD-Rs, email attachments and an assortment of unsecured web-based file sharing applications.

Q. In a day and age where IT can only address the top issues facing your business, what made this something that had to be dealt with?

Because we are regulated, we like to monitor everything that is going in and out of the business, especially confidential and financial data. We’re trying to work towards ISO 27,000 on compliance, which is what all of our information security policies are based around.

Q: What impact has Managed File Transfer had on your business?

I think what’s most important to someone in my position anyways is visibility of what’s coming and having the ability to monitor. It has given me a warm fuzzy feeling that I can see what’s going in and out of the company and I can monitor people’s usage of the solution. From an IT perspective, it is definitely a best practice to use a commercial MFT solution rather than rely on something based on open source.

More and more people are using it rather than resorting to “old-fashioned” and insecure methods of saving to disk or USB. Staff in legal, claims, development, and training departments use it quite a lot, and we use it extensively in the IT department.

Zemanta Related Posts ThumbnailIn my last post, I covered the first two steps in a proven four-step plan for ensuring a smooth implementation. Here are I cover the final two steps of this blueprint for success.

3) Release to Production – This step is usually coupled with step 2 and iterated for each process. As I said, most successful file transfer implementations will break down and group business processes and then slowly build them up into the new system. Like any product, there is a learning curve with managed file transfer and the more you use it, the easier and faster it is to bring new processes and partners on board.Some tips to ensure success:

  • Keep lines of communication open between the person implementing the solution, network administrators and partners so there is visibility into the new process.
  • Gather as much information up front as possible, like usernames, passwords and host information.
  • Always check with your network administrator to make sure the file transfer system will have access to the endpoints to avoid disruptions in processes that rely on file transfer. Though this type of issue is usually discovered in Step 2, it can crop up again since the production system is usually on a different network than the test network.

4) Debugging and Troubleshooting – Inevitably something will go wrong, whether it’s a failed connection or a file was not received. This is where it’s helpful to use a file transfer system that logs and audits everything. Being able to trace connections and see login information is incredibly useful, as it allows you to drill down into the root cause of issues. Many times, file transfer is interrupted due to a network hiccup and simply trying the transfer again will resolve the problem. Other times, a system has changed a host key and that key needs to be accepted or exchanged before the process can resume. And if you still can’t isolate the issue, it’s nice to know there is a friendly support staff ready to assist if needed. I should know – that’s where I started!

So there you have it – a blueprint for a successful implementation of a file transfer solution. What roadblocks have you run up against in your file transfer deployments? Any additional best practices to share?

Convenience stores are the fast way for folks on the road to run in, grab what they need and be off to the next stop in their busy days. But when a regional convenience store chain known for its speedy service found itself spendinCanadian-Kwik-E-Mart-the-simpsons-64704_1024_768g as much as 6 hours to recover from fairly frequent failures of DVR servers used to help secure its stores, they gave Ipswitch’s network monitoring division a call.

For a couple of years, the chain’s network services staff had responded to DVR server failures by pulling a technician away from whatever work was assigned for the day and having he or she drive to a store to reimage the machine. Each trip meant a half day or more wasted out of the office to perform less than 10 minutes of actual onsite work to reimage the machine and reboot. Adding insult to injury, the fully burdened cost per incident topped $2500. Meanwhile, an important security asset was offline for hours at a time.

That’s when the chain’s IT director called Ipswitch and asked if we could make his IT life a little more, well, convenient. He told us that one of the other solutions he looked at before calling would cost $75 per device.  We offered a less costly alternative which included WhatsUp Gold. The IT director chose it for its ability to:

  • Quickly and accurately assess problems before they compromised store security
  • Monitor all SNMP devices in the stores, including security cameras
  • Automatically solve recurring problems like failing DVR servers
  • Stay on top of everything; anytime, anywhere by monitoring from a console, through a web interface, even from a mobile device

We told him that WhatsUp Gold, driving an inexpensive network appliance, could accomplish the same result for a fraction of the cost.

Now, one week after install, when one of the DVRs goes down, WhatsUp Gold “sees” the problem immediately and instantly kicks off a script to tell the appliance to automatically re-image the DVR. The result? Productivity is up now that nobody in network services needs to drop everything and jump in a car for hours at a time. Savings are up too: nearly $2500 per incident.

Now that’s convenient.

file transfer options‘Tis the season for Holiday decorating—from wreaths to reindeers to those pesky strings of Christmas lights. You know the ones I’m talking about—multiple strings connected to each other and wrapped across each other in a hodge-podge way. Difficult to untangle, to say the least. Imagine being asked to troubleshoot that tangled mess, if a single light goes out amongst the hundreds of lights.

Now picture the ways files transfer in, out and within your organization. What would it take to pinpoint why a single critical file didn’t arrive at its intended destination, when it was supposed to, amongst the tens or hundreds of thousands of transfers?

We can’t help bring order to your holiday decorations, but in the file transfer world we can offer this timely webinar: “Move Away from the Tangled, Digital “Do-It-Yourself” Approach to File Transfer.”

Tune in to hear three IT professionals from the Florida Department of Health and NHS Wales, along with Derek Brink – Vice President, Research Fellow, IT Security at Aberdeen Group – discuss the steps IT departments are taking to prevent their file transfer processes from turning into unmanageable messes. Our panel will also discuss how the world of file transfer is changing based on heightened audit, compliance and business process requirements across industries.

Click below for a preview of the topic:

file transfer project blueprintl
To complete a successful file transfer project, you need to put a plan in place.

Cutting over to any new software is daunting, but by following a proven methodology – or blueprint – if you will, you can pave the way for success.

The biggest issue I see come up is wanting to move everything over “as-is” into a new solution in a short amount of time. It’s completely understandable – usually file transfer is just one aspect of a very busy administrator’s day – however, it’s paramount to set the expectation that to be successful, you need to put a plan in place. In this first of a two-part post, I cover the first two steps in a proven four-step plan for ensuring a smooth implementation.

  1. Research and Preparation – Moving one or several processes over to a new system requires some strategy and thought. First, research which processes will be transitioned over to the new file transfer project. Make sure to meet with key stakeholders as you come up with the list. It’s a good idea to focus on some small to medium processes to move over first.At the same time, this is an opportunity for some spring cleaning – to eliminate unused processes, and make other processes more efficient. Because this is a tedious exercise, it should be done well in advance of the actual implementation.The most successful implementations I’ve seen are those done in phases instead of via a large cut-over that is bound to be stressful and problematic. Whether you stage it by business unit or by specific process, breaking down the implementation into smaller chunks will equate to a successful and seamless implementation.
  2. Implementation and Testing – Once the preparation is done, implementing is typically a straightforward process. It’s good to be familiar with the product and also have someone on the project team knowledgeable about current processes. However, when that’s not the case, you need to figure out the relevant processes and translate them into the new product. With custom scripts this can be quite daunting, which is why it’s helpful to use a product that includes integration points and scripts to make things easier.It is crucial to test the system before putting it into production and making changes to avoid any SLA (Service Level Agreement) violations. Most partners will provide test files to ensure a successful test. Both the partner and the administrator should be aware of tests to make sure no test files are processed that could disrupt a production business process. Normally during a test, files are transferred or received and both parties acknowledge the successful receipt and also what should happen after a successful transmission, for example a file is archived or deleted.

In my next post, I’ll cover steps three and four of this proven methodology.