by Greg Shields

Being a service that’s fundamentally related to security, a discussion on managed file transfer isn’t complete without a look at compliance regulations. To this point, the discussion has related to the high-level requirements of compliance in general: monitor users, protect data, and secure log files.

Yet although these high-level requirements are effectively global to all compliance regulations, the actual guidance in each can range from vague to very specific. Also, verifying compliance is an activity that depends on the compliance auditor. This final article in the series does not necessarily attempt to be the absolute answer for your compliance needs, nor does it attempt to be a primer on compliance regulations. Rather, it will discuss some of the known guidance from four areas of compliance: the Sarbanes-Oxley Act (SOX) for publicly-traded companies, the Health Insurance Portability and Accountability Act (HIPAA) for healthcare patient data, the Payment Card Industry Data Security Standard (PCI-DSS) for organizations that receive payment cards, and the Gramm-Leach-Bliley Act (GLBA) for the banking and finance industry. It will also attempt to relate the regulations to how they can impact the selection and use of a managed file transfer solution.

Sarbanes-Oxley (SOX)

SOX sets standards for corporate reporting and disclosure. Applicable to any publicly-traded company, this wide-sweeping yet relatively vague (in terms of IT standards) regulation forces IT organizations to monitor the actions of its users, generate audit trails of those actions, and prevent data leakage for sensitive data. Four sections of SOX are of particular concern in relation to managed file transfer solutions.

Section 105: Investigations and Disciplinary Hearings

This section mandates the Board of a firm that is involved in an investigation to disciplinary action to keep all documents and information that are related to the action. The section scopes this data to that which is “confidential and privileged as an evidentiary matter,” with sanctions being imposed for failure to supervise proper auditing. A managed file transfer solution can be used as a mechanism to transfer data to inappropriate persons, so the management of auditing as well as the correct configuration of rights and permissions must be governed to meet this requirement.

Section 302: Corporate Responsibility for Financial Reports

This section requires that financial officers can sign and attest to the accuracy of the financial statements of the company. This can be important when data is moved around an environment using a managed file transfer solution. The movement of this data must be tracked into an auditable database, which can be reported on and verified.

Section 404: Management Assessment of Internal Controls

This section requires management to test the effectiveness of their internal controls as well as the processes and information systems that surround those controls. Once again, auditing and enforcement of internal controls are critical here. Ensuring that data is transferred as according to best practices and that its movement and the actions of users are logged is critical.

Section 409: Real-Time Issuer Disclosures

This section requires firms to disclose in a timely manner information that pertains to material changes in operations. This includes information about systems that collect this information and are under the control of IT. Systems must remain available and capable of tracking the activities of users and store their data in an auditable format.

Health Insurance Portability and Accountability Act (HIPAA)

Unlike SOX, which relates to all publicly-traded companies, HIPAA is primarily involved with the protection of electronic patient health information (ePHI). It embodies a series of administrative, technical, and physical controls that are intended to secure and protect ePHI.

Although HIPAA includes several regulations that have no impact on IT, HIPAA’s “Final Rule” (45 CFR 164) relates highly to the role of information security. It discusses how medical information must be protected against accidental or malicious disclosure. It does this through the requirement of documented evidence that security policies exist and are being followed. Six regulations are of primary importance to managed file transfer solutions.

45 CFR 164.312(d)

The system will verify that the person or entity seeking access to ePHI is the one claimed.

Here, the use of authentication credentials such as username/password combinations as well as smartcard or other biometrics solutions assure the identity of the user. Strong passwords, automatic-expiry of passwords, and other mechanisms of password enforcement are useful for fulfilling this requirement.

45 CFR 164.312(a)(1), (2), and (3)

The system will allow access only to those person or software programs that have been granted access rights. It will assign unique IDs for identifying and tracking users. It will terminate sessions when inactive.

A solution that meets this requirement will ensure the granular access of users to only the resources they need, including the policy-based application of business rules.

45 CFR 164.312(e)(2)(ii)

The system will encrypt ePHI during transit.

Obviously, any managed file transfer solution that will be used in the healthcare industry will support the enforced encryption of data as it is transferred from source to target.

45 CFR 164.312(c)(1), (2), & (e)(2)(i)

The system will implement technical controls to protect ePHI from improper alteration of destruction until disposed.

A system that fulfills this requirement will include the necessary integrity controls such as file hashing, integrity checking, and deletion prevention to ensure that data remains available until it is no longer needed and that data is not changed in transit or while at rest.

45 CFR 164.308(a)(7)(ii)

The system will establish and implement procedures to create and maintain retrievable exact copies of ePHI and procedures to restore any loss of data.

The guidance in this regulation requires a system to include features that maintain availability. That availability can be assured through load balancing or clustering of the server itself as well as through per-transfer features such as restarting of interrupted file transfers, segmentation of transfers, compression, synchronization, and/or alerting.

45 CFR 164.308(a)(5)(ii)(c) & 164.312(b)

The system must implement technical controls that record and examine activity in information systems that contain ePHI as well as procedures for monitoring logins and reporting discrepancies.

The primary requirement here relates to the auditing of user logins and actions, along with the storage of that log data in an auditable format such as a central repository.

Payment Card Industry Data Security Standard (PCI-DSS)

Of the well-known regulations, it can be argued that the guidance from PCI-DSS encompasses some of the most specific. Unlike other regulations that specify that user actions must be monitored but leave the details to the auditor, PCI-DSS includes very specific guidance about what and in some cases how data should be protected.

That’s a good thing because PCI-DSS is intended specifically for organizations that take payment card data, such as credit cards and debit cards. Disclosure of this information can lead to an identity theft or other personal loss, making PCI-DSS’s security guidance very important to the end consumer.

Twelve high-level requirements, each with its own set of sub-requirements are outlined as part of the PCI-DSS specification (v1.2) as of this writing. Due to their specificity, each requirement’s impact on managed file transfer solutions should be clear from the language in the regulation itself:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update antivirus software
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

Gramm-Leach-Bliley Act (GLBA)

The last of the common compliance regulations is GLBA, which provides guidance to the financial services industry. As with SOX and HIPAA, GLBA encompasses a wide-sweeping set of regulations that (among other things) are intended to improve customer financial services. The IT-specific element of GLBA relates to the establishment of data protection standards for consumers’ private financial data. Two statutes specifically relate to information security: The Financial Privacy Rule and The Safeguards Rule.

Although GLBA’s guidance can be considered the least specific of the major compliance regulations, its requirements generally relate to the protection of customer data and the assurance that protection measures are in place. The Financial Privacy Rule in essence governs the collection and disclosure of customer personal financial information. Important to managed file transfer solution is that this rule also applies to agencies that receive this information from the financial institution. Thus, the rule can apply to any entity that works with a financial institution and may receive data.

The Safeguards Rule requires financial institutions to design, implement, and maintain “safeguards” that protect their customer information. As with The Financial Privacy Rule, these safeguards apply to other entities that receive this customer information.

GLBA’s high-level requirements are arguably similar in charter to many of the other regulations: protect data and ensure that you’re protecting it. Its Section 501 provides guidance on the kinds of technical controls that must be implemented:

• Data in transit and at rest must be encrypted
• Information can only be consumed by authorized individuals and only for approved uses
• Data cannot be created, changed, or deleted without authorization, and only by approved individuals; this guidance relates to audit data as well
• Data must be available for use when it is needed, with the proper protections in place to prevent or compensate for destruction, loss, or damage

Protect, No Matter What

No matter to which of these regulations your organization must adhere, you should by now see a pattern to their requirements. Track your users as well as your administrators, protect the data that you use in tracking them, and protect your data against loss or exposure. When seeking out a solution for managed file transfer, keep these high-level recommendations in mind. In the end, you’ll appreciate the solution that verifiably fulfills the requirements up front.

 

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.