Ipswitch Blog

Compliance and File Transfer: Common Regulations and Security Requirements

| December 16, 2013 | Compliance, Financial, Healthcare

RuleBookStackResizeIncreasingly, organizations need to comply with one or more regulations. If you are in this situation, you can satisfy auditors or regulators by proactively establishing measurable and repeatable policies and procedures to ensure effective access control. In my last post, I outlined three steps to achieve effective access control. Here I will cover common regulations, who is affected, and common file transfer security requirements.

Healthcare Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HIPPA-HITECH)

  • Who: Any organization – including hospitals, clinics, insurance brokers, and physician practices – that transmits or maintains health information.
  • Requirements: Organizations and their business associates must ensure that all file transfer containing personal health information is secured and that the sender and recipients are properly verified.

Sarbanes-Oxley (SOX)

  • Who: Companies that are publicly registered on US stock exchanges (e.g., NYSE, NASDAQ). Holds executives personal accountable for violations. Increased penalties for corporations with >$75 million in market capitalization.
  • Requirements: All companies must establish ‘internal controls’ on financial information and obtain an auditor’s opinion on management’s assessment. Encryption of financial information during file transfer is required to ensure data integrity.


  • Who: Companies that are publicly registered on Japanese stock exchanges.
  • Requirements: Management must provide an assessment of its internal control over its financial reporting and obtain an auditor’s opinion on management’s assessment. . Encryption of financial information during file transfer is required to ensure data integrity.


  • Who: Banks, insurance firms, and other financial institutions. Sets international standards for banking regulators to control how much capital banks need to put aside to guard against financial and operational risks.
  • Requirements: Firms must protect their IT networks and associated data as part of reducing operational risk. This includes safeguarding data (such as through encryption), file transfers, and operator interaction, to name a few.

Personal Credit Information – Data Security Standard (PCI-DSS)

  • Who: PCI DSS applies to all entities involved in payment card processing (e.g., credit, debit, prepaid cards, etc.) – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
  • Requirements: Secure storage and transmission of cardholder data against unauthorized disclosure, protection again malware, and other threats to the integrity of the cardholder data.

International Trade in Arms Regulation (ITAR) & Export Administration Regulations (EAR)

  • Who: US-based companies whose products fall under either the ITAR’s United States Munitions List (USML) of restricted articles and services or EAR’s Commerce Control List (CCL) of regulated commercial items, including those items that are so-called ‘dual-use’ or have both commercial and military applications.
  • Requirements: Establish protocols to prevent the disclosure or transfer of sensitive information to a foreign national.

The Data Protection Act of 1998

  • Who: Organizations or individuals based in the United Kingdom (UK).
  • Requirements: Organizations must establish policies and procedures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage, of personal data.

In my next post, I’ll cover three steps your organization can take to further address your compliance requirements, so check back soon!


Preventing Alarm Storms

Preventing Alarm Storms from Striking Your Network and Distracting You

Implementing Compliance for Data Privacy in Regulated Industries

Free Webinar: Implementing Compliance for Data Privacy in Regulated Industries

Leave a Reply

Your email address will not be published. Required fields are marked *

David Jackson

This post was written by David Jackson

David Jackson is responsible for product line management and strategy for Analytics and Reporting. His broad skill-set includes general management, new product introduction, product lifecycle management, Agile/Scrum and security. Dave has introduced a series of new and innovative products which has generated over a billion dollars of product sales while with VideoIQ, Tyco/American Dynamics, E Ink, The MathWorks, and Analog Devices. His approach is to create easy to use solutions for complex problems. Dave has spent his time driving global and multi-channel sales channels and creating new markets/categories at start-ups and multinational organizations. Dave has a B.S. from Boston University in International Management and a MBA from Boston College.