Ipswitch Blog

File Transfer and Compliance: 3 Proven Steps to Ensure Effective Access Control

| November 11, 2013 | Compliance, Managed File Transfer, Secure File Transfer

file transfer complianceSurveys indicate that many companies fail IT audits of both internal company policies and external regulatory frameworks (i.e., HIPAA, PCI-DSS, ITAR, etc.). Yet avoiding such failures is critical in light of the vast number of external threats such as hacks that occur almost daily. At the same time, employees can pose problems, whether knowingly or not.

“Regulatory compliance describes the goal that corporations or public agencies aspire to achieve in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” (Source: Wikipedia)

In fact, employees are both your greatest asset and your biggest threat. Problems around employee access to data can be summed up by the following CIO quotes.

  • “We have policies and procedures in place. It is up to employees to follow those policies.”
  • “I don’t think we have rogue employees.”
  • “We’re sticking our heads in the sand right now.”

Not believing or acknowledging that you have rogue employees would not be described as a best practice. As Vince Lombardi once said: “Hope is not a strategy.” Instead, proactively establishing measurable and repeatable policies and procedures is key to ensuring effective access control, especially if you must satisfy auditors or regulators. Here are three proven steps for doing just that:

1. Establish policies and procedures that focus on managing who has access to what data.
Start by identifying the regulations your company must adhere to, typically dictated by your business/legal teams. For example, retailers need to conform to Personal Credit Information – Data Security Standard or PCI-DSS, and SOX (if they are publicly traded in the US). For international companies, understanding local privacy laws and regulations is paramount. For example UK privacy laws make it a violation to ‘export’ employee information – including LDAP or in-house employee employment data – outside of the British Isles (this pertains to something as simple as cloud storage in say Germany) without explicit written release from the employee.

2. Once the ‘regs’ are identified, determine the latest version and if or when updates are coming. For example, the current version of PCI-DSS is 2.0 and 3.0 is under development. The updates are attempting to adapt to the changing world and new cyber threats. HIPAA used to be only the concern of the healthcare firms. However, with expansion of HIPAA-HITECH’s new mandates in 2013, 2014, and 2015, most companies conducting business in the United States will need to develop and maintain privacy policies. Ignorance of the law is not a sustainable defense.

3. IT should keep track of users’ activities with a complete and easily accessible journal and audit log. In part, this is as simple as using a Managed File Transfer (MFT) solution to automatically record every user action or workflow in an auditable tamper-proof log.

In my next post, I’ll outline what organizations need to know to design their MFT system to satisfy today’s and tomorrow’s regulatory requirements. Meantime, check out our white paper on how managed file transfer provides a robust compliance solution for financial services organizations.

How IT Pros Can Save 30 Minutes a Day

How IT Pros Can Save 30 Minutes a Day

Implementing Compliance for Data Privacy in Regulated Industries

Free Webinar: Implementing Compliance for Data Privacy in Regulated Industries

Leave a Reply

Your email address will not be published. Required fields are marked *

David Jackson

This post was written by David Jackson

David Jackson is responsible for product line management and strategy for Analytics and Reporting. His broad skill-set includes general management, new product introduction, product lifecycle management, Agile/Scrum and security. Dave has introduced a series of new and innovative products which has generated over a billion dollars of product sales while with VideoIQ, Tyco/American Dynamics, E Ink, The MathWorks, and Analog Devices. His approach is to create easy to use solutions for complex problems. Dave has spent his time driving global and multi-channel sales channels and creating new markets/categories at start-ups and multinational organizations. Dave has a B.S. from Boston University in International Management and a MBA from Boston College.