File Transfer Direct

With the ever increasing amount of internal and external business that your organization now conducts electronically, there comes an ever increasing security risk. New processes are forever being introduced into the business environment, as progress in hardware and software marches on.  With the increasing popularity and ease of electronic storage and transfer, public interest in the safety and integrity of sensitive data is intense and public awareness of data breaches are at an all time high. The requirements for you to reassure your customers and the public that you are dealing with data both securely and responsibly are important not only for your reputation but critical to demonstrate Information Assurance and Compliance.

IN GENERAL, COMPLIANCE MEANS CONFORMING TO A SPECIFICATION OR POLICY, STANDARD OR LAW THAT HAS BEEN CLEARLY DEFINED.

You must meet minimum standards of security in order to instil confidence in the way you handle your data. Such standards may be;
•    Internally set by Corporate policy,  
•    A codification of best practices that is adopted by your Industry and recognized by external customers.  
•    Enshrined in law hence Regulatory Compliance

Whatever standards bind your company, they are subject to change, as the challenge of providing satisfactory levels of security increases. If you are not prepared to manage these risks you will not be able to attract new business, and may lose existing business or loss of reputation to compliant competitors.  Companies that understand Compliance stand to gain the most competitive advantage.

Some examples of industry and regulatory standards that may impact on your business
•    Health Information Portability (HIPAA)
•    Federal Information Processing Standardization 140 (FIPS)
•     Sarbanes Oxley (SOX)
•     Financial Instruments and Exchange Law
•    J-SOX (a variant of SOX)
•    International Convergence of Capital Measurement and Capital Standards - A Revised Framework (BASEL II)
•    Payment Card Industry Data Security Standard (PCI DSS)
•    Gramm-Leach-Bliley Act (GLBA) 
•    Standards for The Protection of Personal Information of Residents of the Commonwealth
•    Data Protection Act 1998 (DPA)
•    Medicines and Healthcare products Regulatory Agency (MHRA)
•    European Union Directive on Data Privacy (EU Directive)
•    ISO2xxxx (For example ISO 27001, Information Security Management System)
•    CoCo (Code of Connection to Government Connect Secure Extranet)
•    NGN 224 (NGN Telecoms Service Assurance

ARE YOU COMPLIANT?

As seen in the table above, which is by no means an exhaustive list, there is a minefield of standards. It all depends on your industry, which country your business operates in, or in the case of international trade, which countries you do business with. A whole industry has grown up, with large organizations employing departments to ensure Compliance. The Standards can be exacting, for example the MHRA Orange Guide Book runs to 448 pages. Guidelines may apply to real world generic processes, as opposed to being specific to automated electronic workflows. Only highly technical Compliance Officers or external auditors may judge whether you are compliant or not. And for traditional working processes, as opposed to Managed File Transfer solutions, each process will have to be examined separately and rated against all your Compliance targets.

Financial Institutions, for example, have used methods like tape backup, DVDs, network storage, FTP, email, and even instant messaging (IM) to move data internally and externally. While convenient, they fail to deliver security, efficiency, or reliability—all of which are critically important to today’s financial organizations.

•    Tapes, DVDs, laptops, and USB storage can be lost or stolen, compromising data especially if it is unencrypted. They are also at the mercy of unscrupulous users.
•    Standard FTP does not include strong authentication or encryption capabilities, and potential hackers can listen in on the network to access data or user credentials. 
•    Email and IM are unencrypted and have no method for ensuring data integrity. They do not have guaranteed delivery, and they do not have robust auditing.

MANAGED FILE TRANSFER SOLUTIONS BUILT WITH SPECIFIC COMPLIANCE STANDARDS IN MIND

Any MFT solution worth its salt will have been built with security measures that satisfy and exceed the minimum levels set out in the standards above. Because MFT is coordinating the whole process of moving data, there is no need to test and certify several diverse channels. It will have been designed with Compliance in mind, and rigorously compared to the required ideal. As well as inbuilt security, there will be in depth levels of auditing. An ideal compliant MFT solution should include:

•    High level data encryption methods, to protect data in transit and at rest
•    Secure auditable access and secure auditable administration
•    A clear audit trail of files accessed and moved
•    Non-Repudiation of files – what was accessed/copied/uploaded/sent is what was received/downloaded/opened/saved
•    Workflow monitoring and automation
•    High reliability and availability

HOW DOES AN MFT SOLUTION PROTECT DATA?

An ideal compliant MFT solution will look after your data using industry recognized security methods. These methods can refer to encryption, certification or detection. When considering a product, ensure that it comes with the security measures required by the Compliance standard that you are trying to adhere to. If it does not come with them already built in, all may not be lost. Is the security you require something that can be added as an optional module? Some vendors prefer to package some of their security measures in modules, to recognize the fact that not all features are required by every type of business. It is a necessity to be aware which of the following security measures are required to make you compliant, and then to ensure that any potential product contains or is compatible with said security –

•    SSL/TLS secure certification
•    SSH  secure shell transfer
•    PGP encryption
•    AS1/2/3 protocol
•    AES/DES encryption protocol
•    SHA-1 encryption
•    FIPS140-2 validated encryption

Again, this is not an exhaustive list but includes some of the most common security related terms that you are likely to hear when considering Compliance and MFT.

In conclusion

Compliance can be a minefield, with many standards that you may have to meet in order to satisfy the public, the industry at large or government departments. The first requirement is that you understand fully as a business just which standards apply to you. Whether you have a dedicated compliance department, or if you are solely responsible for Compliance, take the time to understand what the relevant Compliance standards demand of you. Are you handling and moving data securely, and are you ensuring the integrity of your data? Remember that traditional methods you are using may have been secure in the past, but are not likely to be anymore.  A Managed File Transfer solution will enable you to coordinate all your data transfers, securely and with integrity, ensuring you adhere to set standards. You will have gained knowledge of the security protocols and encryption standards expected of you, and will be able to see with minimum fuss, by comparing vendors and solutions, whether a proposal satisfies your Compliance needs.

For your FREE 30-day evaluation or a one-to-one web demo Please visit http://www.handd.co.uk or call HANDD Business Solutions on +44 (0) 845 643 4063.

Contact Us

secure-hosted

 

ad-hoc-transfer

 

Address: 26 Horseshoe Park, Horseshoe Road, Pangbourne, Reading, RG8 7JW

Telephone: +44 0845 643 4063                    Support: +44 08448 227447                     email: info@handd.co.uk