Pixelated FTP

The State Employee Credit Union (SECU) of North Carolina has a mission to provide the best possible online financial services to its 2 million members.  As a result, the IT team at SECU has created an IT environment that focuses on speed, reliability and security.

Yet, the IT team had serious problems transferring data between different systems and locations. They relied on scripts patched together with custom (?) software, and the results were predictably lacking. Robert Skinner, the team lead of distributed systems at SECU, knew a change had to come.

Robert eventually discovered Ipswitch’s MOVEit platform and used it to modernize how SECU updates and moves data across multiple systems and locations.

A Productive and Secure IT Infrastructure

Robert knew that improving how SECU transferred critical data would allow employees to respond quickly to SECU’s members. His department works with other teams that have to move files internally and externally. A productivity increase in distributed systems means an increase throughout the entire infrastructure.

Secure Data Transfer Detrimental to Sales

Robert examined the workflows of other departments, particularly when and how they need to transfer data. One workflow that he knew could improve was home loan closing, where delays in data exchange can affect sales. He set out to reduce the cost and total time it took for mortgage closing and refinancing.

Still, before Robert was capable of improving the home loan closing process directly, it was vital to understand the challenges and limitations of the current system.

Faced with Challenges and Limitations

SECU faced unique challenges when it came to securely and reliably transferring data between systems and locations:

  • The existing method made use of custom scripts and FTP servers, creating an unreliable way to transfer important data to FTP clients
  • SECU must meet compliance standards that require that data is protected and moved securely, along with upholding SECU’s own risk management and IT security policies
  • Disaster recovery had to be a priority

“The level of compliance that we live up to requires that all data be protected, be securely moved, as well as have an audit trail of when things are moved and who touches different pieces of what information,” Robert said.

Knowing the importance of meeting compliance standards and how speed and reliability could improve workflow, Robert set out to find a tool to get the job done.

File Management That Emphasizes Cyber Security

Once Robert discovered Ipswitch’s MOVEit File Transfer Server and MOVEit Central – a file management software suite that emphasizes security and ease of use – he knew his search was over. MOVEit now allows Robert and his team to streamline the process of moving data across locations and systems. The suite had other benefits:

  • MOVEit File Transfer is an externally facing environment for securely transferring documents and files. Using an interface similar to modern consumer cloud products, SECU required little training to make use of MOVEit DMZ
  • MOVEit Central moves files between MOVEit File Transfer and SECU’s secure internal network, creating a useful audit trail and ongoing security
  • SECU’s business processes now have increased response times and decreased processing times, which creates improved services and reduces overhead costs
  • MOVEit Central satisfies the need for a disaster recovery environment
  • SECU now uses workflow automation that allows for centralization and control of which accounts are moving files, along with which ones were moving between servers

ROI from a Streamlined FT Program

Robert used MOVEit File Transfer to dramatically improve home loan closing, a process that involves external lawyers. Instead of having to physically send and receive documents, which often pushed critical deadlines, the lawyers can now download and upload documents and easily make deadlines.

The lawyers and SECU employees receive alerts when documents are ready, substantially reducing the processing time for home loan closing.

“We’re able to complete transactions, not have people sit around waiting for something. They know, they got an email, the file is here, now they can go ahead and process this,” Skinner reports.

SECU is now capable of saving members $100,000 per month by using MOVEit File Transfer and MOVEit Central. How are they saving so much? Robert dives into deeper detail in his presentation at Ipswitch Innovation Summit 2015.

CLOUDAsk anyone who has worked in technology and you’ll get an instant look of recognition when you mention “alphabet soup” – a phrase used to refer to an abundance of industry acronyms. Every industry has them, and the file transfer space is obviously no exception.

Of course, it pays to know the lingo. So over the next few weeks, we’ll be highlighting a few essential terms that everyone in the file transfer space should know about. To start, we’re going to focus on a few terms specific to the financial services industry.

Let’s take a closer look:

  • PCI – Payment Card Industry.  If you’ve ever bought a product online or given your credit card information to secure a service via a computer, you have invariably operated under the auspices of this organization. In order to make sure that transaction happens securely, this industry sets the standards.
  • PCI DSS – PCI Digital Security Standards. This acronym identifies the rules. Once you are in a PCI-regulated environment, you will find that specific rules and specifications exist to ensure that all transactions are safe. Aside from security, there are a number of comprehensive protocols, standards and measurements that are required in order to successfully meet the compliance requirements.
  • ROC – Report on Compliance.  This term is basically just what it says it is; an official written report of the compliance process that is achieved by adhering to the standards outlined by the PCI. Specific details of the PCI qualification process, unique characteristics and requirements of individual application are found in this document, which serves as a template for qualification.  Typical entries include, Executive Summary, Description of Work, Environment, Reporting Procedures, Statistics, and Observations.
  • QSA – Quality Security Assessor.  A QSA is an auditor or provider that has been qualified by the PCI Council to serve as implementers of the PCI standards. Qualified Security Assessors are employees of these providers who have been qualified and certified by the Council to validate an entity’s adherence to the PCI DSS.
  • DMZ – Demilitarized Zone.  A safe zone, essentially. This is a hosted area or a small secure network that serves as an intermediary or neutral location between the end user and the provider.  This “zone” prevents unauthorized access to the secure servers that process the actual transactions and store the credit card information, for example.  Outside users can only access as far as the DMZ and no further.
  • PII – Personally Identifiable Information.  Anytime a transaction that requires credit card, Social Security, phone numbers or other sensitive occurs, a verification process must occur. Secret code words, symbols and unique individual identifiers are typical requests during a PII transaction.
  • MFT – Managed File Transfer (MFT) Systems provide a central system to manage the transfer of files and data (including sensitive and confidential transaction information) to/from the financial institution to its extended ecosystem of partners, suppliers and transaction handlers. This includes integrating with other systems and vendors with multiple configurations and access controls. MFT systems are a key cog in enabling a financial organization with file transfer automation and auditing to support PCI compliance.

We hope to have shed some light on a few key terms relating to financial file transfers. If there are other terms you’d like explained in clear, concise language, be sure to let us know in the comments sections.

RuleBookStackResizeIncreasingly, organizations need to comply with one or more regulations. If you are in this situation, you can satisfy auditors or regulators by proactively establishing measurable and repeatable policies and procedures to ensure effective access control. In my last post, I outlined three steps to achieve effective access control. Here I will cover common regulations, who is affected, and common file transfer security requirements.

Healthcare Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HIPPA-HITECH)

  • Who: Any organization – including hospitals, clinics, insurance brokers, and physician practices – that transmits or maintains health information.
  • Requirements: Organizations and their business associates must ensure that all file transfer containing personal health information is secured and that the sender and recipients are properly verified.

Sarbanes-Oxley (SOX)

  • Who: Companies that are publicly registered on US stock exchanges (e.g., NYSE, NASDAQ). Holds executives personal accountable for violations. Increased penalties for corporations with >$75 million in market capitalization.
  • Requirements: All companies must establish ‘internal controls’ on financial information and obtain an auditor’s opinion on management’s assessment. Encryption of financial information during file transfer is required to ensure data integrity.

J-SOX

  • Who: Companies that are publicly registered on Japanese stock exchanges.
  • Requirements: Management must provide an assessment of its internal control over its financial reporting and obtain an auditor’s opinion on management’s assessment. . Encryption of financial information during file transfer is required to ensure data integrity.

BASEL-II & BASEL-III

  • Who: Banks, insurance firms, and other financial institutions. Sets international standards for banking regulators to control how much capital banks need to put aside to guard against financial and operational risks.
  • Requirements: Firms must protect their IT networks and associated data as part of reducing operational risk. This includes safeguarding data (such as through encryption), file transfers, and operator interaction, to name a few.

Personal Credit Information – Data Security Standard (PCI-DSS)

  • Who: PCI DSS applies to all entities involved in payment card processing (e.g., credit, debit, prepaid cards, etc.) – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
  • Requirements: Secure storage and transmission of cardholder data against unauthorized disclosure, protection again malware, and other threats to the integrity of the cardholder data.

International Trade in Arms Regulation (ITAR) & Export Administration Regulations (EAR)

  • Who: US-based companies whose products fall under either the ITAR’s United States Munitions List (USML) of restricted articles and services or EAR’s Commerce Control List (CCL) of regulated commercial items, including those items that are so-called ‘dual-use’ or have both commercial and military applications.
  • Requirements: Establish protocols to prevent the disclosure or transfer of sensitive information to a foreign national.

The Data Protection Act of 1998

  • Who: Organizations or individuals based in the United Kingdom (UK).
  • Requirements: Organizations must establish policies and procedures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage, of personal data.

In my next post, I’ll cover three steps your organization can take to further address your compliance requirements, so check back soon!