David Jackson

David Jackson is responsible for product line management and strategy for Analytics and Reporting. His broad skill-set includes general management, new product introduction, product lifecycle management, Agile/Scrum and security. Dave has introduced a series of new and innovative products which has generated over a billion dollars of product sales while with VideoIQ, Tyco/American Dynamics, E Ink, The MathWorks, and Analog Devices. His approach is to create easy to use solutions for complex problems. Dave has spent his time driving global and multi-channel sales channels and creating new markets/categories at start-ups and multinational organizations. Dave has a B.S. from Boston University in International Management and a MBA from Boston College.

checklist complianceIn my last post, I covered common regulations, who is affected, and what is required from a file transfer standpoint to satisfy them. In this post, I explain three steps your organization can take to make sure your file transfers satisfy regulatory requirements.

  1. Characterize the types of file transfers your firm does as part of its day-to-day business.
    Most firms are dependent on file transfers to get work done. For example, healthcare organizations send patient billing information to Medicare, financial firms confirm equity trades, and airlines schedule delivery of on-board food with their vendors. The first two require by law secure file transactions and an audit log of activities. While the third file transfer isn’t impacted by any regulation, best practice is to secure the information being exchanged.
  2. Craft policies and procedures to ensure your file transfer activities are in compliance.
    Lay out your workflows, focusing on the data and file transfers identified in step one above. Where is your data at risk? When undertaking your planning, addressing and defending against both internal and external threats is a critical part of the process. Hackers make the news but rogue employees can potentially cause damage over extended time frames and across your firm’s entire operations.
  3. Educate your people on the why’s and how’s of the policies and procedures.
    Many companies fall short on the operational execution of regulatory compliance. A significant cause of failure is poor communication. People respect policies when they understand their purpose and what they are defending against and the consequences of failure. For example, companies with dual-use technology, governed by ITAR, can lose their ability to export or do business if their products are sold to restricted countries. Imagine the impact to your organization if you lost 100% of your non-US revenue. Moreover, responsible individuals could go to jail. Other impacts are monetary fines of thousands of dollars. Or consider if a retailer exposes its customer credit information. The real impact is not the financial penalty. The potentially devastating impact is the loss of existing and future customers who lose trust in the firm’s brand and reputation.

In addition to spelling out the potential consequences of non-compliance, reinforce the use of existing file-transfer workflows, assuming you have designed these with compliance in mind.

Ensuring compliant file transfers
By taking these three practical steps, you can minimize the likelihood that your company’s file transfers will put the organization at risk of non-compliance with both internal policies and external requirements.

In addition, you can take advantage of Managed File Transfer (MFT) to more easily address compliance issues around a variety of regulations. MFT helps ensure sensitive information is protected during transfer. Leading MFT solutions also enable robust user access control. The user access control ensures only those who should ‘see’ sensitive data are able to. Plus, such solutions keep a journal of activities and historic audit logs. Together these features enable firms to meet their compliance needs by demonstrating governance around who has access to private data (e.g., credit card information) and demonstrate who accesses what and when.

We welcome any other suggestions for ensuring compliance when it comes to file transfers. Share your thoughts in the comments!

RuleBookStackResizeIncreasingly, organizations need to comply with one or more regulations. If you are in this situation, you can satisfy auditors or regulators by proactively establishing measurable and repeatable policies and procedures to ensure effective access control. In my last post, I outlined three steps to achieve effective access control. Here I will cover common regulations, who is affected, and common file transfer security requirements.

Healthcare Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HIPPA-HITECH)

  • Who: Any organization – including hospitals, clinics, insurance brokers, and physician practices – that transmits or maintains health information.
  • Requirements: Organizations and their business associates must ensure that all file transfer containing personal health information is secured and that the sender and recipients are properly verified.

Sarbanes-Oxley (SOX)

  • Who: Companies that are publicly registered on US stock exchanges (e.g., NYSE, NASDAQ). Holds executives personal accountable for violations. Increased penalties for corporations with >$75 million in market capitalization.
  • Requirements: All companies must establish ‘internal controls’ on financial information and obtain an auditor’s opinion on management’s assessment. Encryption of financial information during file transfer is required to ensure data integrity.

J-SOX

  • Who: Companies that are publicly registered on Japanese stock exchanges.
  • Requirements: Management must provide an assessment of its internal control over its financial reporting and obtain an auditor’s opinion on management’s assessment. . Encryption of financial information during file transfer is required to ensure data integrity.

BASEL-II & BASEL-III

  • Who: Banks, insurance firms, and other financial institutions. Sets international standards for banking regulators to control how much capital banks need to put aside to guard against financial and operational risks.
  • Requirements: Firms must protect their IT networks and associated data as part of reducing operational risk. This includes safeguarding data (such as through encryption), file transfers, and operator interaction, to name a few.

Personal Credit Information – Data Security Standard (PCI-DSS)

  • Who: PCI DSS applies to all entities involved in payment card processing (e.g., credit, debit, prepaid cards, etc.) – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
  • Requirements: Secure storage and transmission of cardholder data against unauthorized disclosure, protection again malware, and other threats to the integrity of the cardholder data.

International Trade in Arms Regulation (ITAR) & Export Administration Regulations (EAR)

  • Who: US-based companies whose products fall under either the ITAR’s United States Munitions List (USML) of restricted articles and services or EAR’s Commerce Control List (CCL) of regulated commercial items, including those items that are so-called ‘dual-use’ or have both commercial and military applications.
  • Requirements: Establish protocols to prevent the disclosure or transfer of sensitive information to a foreign national.

The Data Protection Act of 1998

  • Who: Organizations or individuals based in the United Kingdom (UK).
  • Requirements: Organizations must establish policies and procedures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage, of personal data.

In my next post, I’ll cover three steps your organization can take to further address your compliance requirements, so check back soon!

 

file transfer complianceSurveys indicate that many companies fail IT audits of both internal company policies and external regulatory frameworks (i.e., HIPAA, PCI-DSS, ITAR, etc.). Yet avoiding such failures is critical in light of the vast number of external threats such as hacks that occur almost daily. At the same time, employees can pose problems, whether knowingly or not.

“Regulatory compliance describes the goal that corporations or public agencies aspire to achieve in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” (Source: Wikipedia)

In fact, employees are both your greatest asset and your biggest threat. Problems around employee access to data can be summed up by the following CIO quotes.

  • “We have policies and procedures in place. It is up to employees to follow those policies.”
  • “I don’t think we have rogue employees.”
  • “We’re sticking our heads in the sand right now.”

Not believing or acknowledging that you have rogue employees would not be described as a best practice. As Vince Lombardi once said: “Hope is not a strategy.” Instead, proactively establishing measurable and repeatable policies and procedures is key to ensuring effective access control, especially if you must satisfy auditors or regulators. Here are three proven steps for doing just that:

1. Establish policies and procedures that focus on managing who has access to what data.
Start by identifying the regulations your company must adhere to, typically dictated by your business/legal teams. For example, retailers need to conform to Personal Credit Information – Data Security Standard or PCI-DSS, and SOX (if they are publicly traded in the US). For international companies, understanding local privacy laws and regulations is paramount. For example UK privacy laws make it a violation to ‘export’ employee information – including LDAP or in-house employee employment data – outside of the British Isles (this pertains to something as simple as cloud storage in say Germany) without explicit written release from the employee.

2. Once the ‘regs’ are identified, determine the latest version and if or when updates are coming. For example, the current version of PCI-DSS is 2.0 and 3.0 is under development. The updates are attempting to adapt to the changing world and new cyber threats. HIPAA used to be only the concern of the healthcare firms. However, with expansion of HIPAA-HITECH’s new mandates in 2013, 2014, and 2015, most companies conducting business in the United States will need to develop and maintain privacy policies. Ignorance of the law is not a sustainable defense.

3. IT should keep track of users’ activities with a complete and easily accessible journal and audit log. In part, this is as simple as using a Managed File Transfer (MFT) solution to automatically record every user action or workflow in an auditable tamper-proof log.

In my next post, I’ll outline what organizations need to know to design their MFT system to satisfy today’s and tomorrow’s regulatory requirements. Meantime, check out our white paper on how managed file transfer provides a robust compliance solution for financial services organizations.