In a recent webinar, “What’s the Future of Your FTP?”, I looked at the key regulatory compliance features within file transfer solutions. Requirements for protecting data being transferred internally or externally vary, but there are commonalities across industry regulations, national and state laws, and security specs.
I identified the ISO 27001 Control groups relevant to file transfer and mapped them to the following regulations: PCI DSS, HIPAA (section 164), SOX, Basel II/III, and FFEIC (Exam Handbook Page). The right file transfer technology can help organizations satisfy requirements across a range of controls including policy, access control, encryption, and business continuity.
Risk Assessment Justifies Expenditures
A risk assessment will help prioritize organizational weaknesses and justify technology expenditures to best meet critical needs. Your risk assessment will likely identify:
- Types of data that require protection such as personally identifiable information or corporate financial data
- Common vulnerabilities like a lack of encryption or a confirmation of the receipt of a file transfer
- Typical risks associated with file transfers such as transfer failures, data loss, or data breach
Your next step might be to identify the biggest risks for your infrastructure. Then assess and rank identified risks. Finally, define mitigating controls for the highest priority risks.
The Most Useful Managed File Transfer Technology Features
Consider what managed file transfer can do (below) to identify cost effective mitigation controls to prioritized risks. When evaluating relative importance of each feature, consider ease of use (for both administrators and end-users), and ability to integrate with other systems.
- Authorization, authentication and access control: Consider the need for non-repudiation, single sign-on, and integration to user management services like Active Directory/LDAP or SAML (two identity provider solutions).
- Logging and reporting: Implement a centralized scalable repository for automated report generation and distribution, and protect end user access to logs and reports.
- Encryption: For encryption in transit and encryption at rest, consider using AES 256-bit and SHA 512 file integrity. Use TLS instead of SSL protocols since PCI DSS no longer recognizes SSL or early TLS versions as strong cryptography due to identified vulnerabilities like Heartbleed
- File management and disposition: Use automated disposition rules like file compression and encryption before a transfer and file deletion after a specified time limit after a transfer
- Data scanning: Add integration to anti-virus (AV) or data loss prevention (DLP) solutions
- Policy enforcement: Dictate and enforce password policies, lockout rules, and alerts/notifications
- Failover and disaster recovery: Use single server failover and automated failover to remote locations in order to meet SLAs of zero downtime and to prevent data loss
- Client flexibility: Set up FTP client support, email client, and web browsers
Watch the full webinar for more details like:
- Full list of managed file transfer technology features as options for risk mitigation controls
- Overview of recent regulatory changes
- ISO 27001 IT controls mapped to key regulations and specifications