Data Security Standards
The continuing evolution of computer systems has given rise to a predominantly, technologically driven work environment. The transition from physical, paper-based procedures to online processes has modified the way in which we as a society, approach the issue of data security – including secure file transfer.
Organisations that process and store what would be classed as ‘Personal Information’ (e.g. financial status, race, sexual orientation, health etc.) are now subject to stringent governmental controls, legislative laws and standards. If these companies choose to not comply with applicable laws, not only will they have to tackle loss of customer trust when data is leaked, severe financial penalties will be incurred.
Please select the relevant title to find out more regarding some of the most high profile security standards enforced in the US and UK.
UK Data Security Standards
The Data Protection Act
The Data Protection Act of 1998 was brought into force on March 1st 2000. Introduced to give UK citizens the right to access personal information held by ‘data controllers’ (any individual within an organisation handling personal data) within the United Kingdom, the Data Protection Act also details principles concerning the way in which this sensitive data is managed.
There are eight core principles covered under the Data Protection Act. These are as follows:
- Personal data should be processed fairly and lawfully.
- Data should only be obtained for specified purposes and should not be further processed in a manner incompatible with these purposes.
- Personal data should be adequate relevant and not excessive in relation to the purposes for which they were collected.
- Personal data should be accurate and where necessary kept up to date.
- Personal data should not be kept longer than is needed for its intended purpose.
- Personal data should be processed in accordance with the rights of the individual, which the information concerns.
- Appropriate measures should be taken against unauthorised or unlawful processing or destruction of personal data.
- Personal data should not be transferred outside the European Economic Area (the EU states plus Liechtenstein, Iceland and Norway).
The principle outlined within the Data Protection Act, applicable to the implementation of secure file transfer provisions is the seventh principle. This states that;
“Having regard to the state of technological development and the cost of implementing any measures, the measures MUST ensure a level of security appropriate to – the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle AND the nature of the data protected.”
Therefore all organisations, as governed by UK law, must ensure that adequate safeguards are in place regarding the storage and processing of personal data.
Our specialists at Pro2col can help you to source and implement a secure file transfer solution to suit your business requirements and align the processing of data, in accordance with The Data Protection Act. Please contact us on 0333 123 1240 for more information.
International Data Security Standards
ISO 27001 is an Information Security Management Standard (ISMS), published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).
Essentially an updated version of the old BS7799-2 standard, ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within an organisation. Taking into consideration a specific organisation’s overall perceived risk, it details requirements for the implementation of security controls, suited to the needs of individual businesses.
Many organisations will have information security controls in place, but what many are lacking (and what ISO 27001 covers) is the need for a management approach to these controls.
ISO 27001 Standards
The ISO 27001 standard is an optional certification that provides a structured approach when implementing an Information Management System. If an organisation takes the decision to adopt this standard, the specific requirements stipulated by ISO 27001 must be followed, as auditing and compliance checks will be made.
ISO 27001 requires that management within the organisation must:
- Systematically assess the organisation’s information security risks, taking account of the threats, vulnerabilities and impacts.
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that it deems unacceptable.
- Adopt an all-encompassing management process to ensure that the information security controls continue to meet the organisation’s information security needs on an ongoing basis.
What are the implications of ISO 27001 in terms of file transfer?
If your organisation has adopted the ISO 27001 Information Security Management standard, you must ensure that any file transfer solution purchased, will adhere to your implemented IMS.
Our specialists at Pro2col can help you to source and implement a ISO 27001 certified, secure file transfer solution to suit your business requirements. Please contact Pro2col on 0333 123 1240 for more information.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI Security Standards Council is an open global forum and was formed in 2006 – the 5 founding global payment brands include:
American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
A Global Security Standard, PCI DSS comprises of 12 comprehensive requirements designed to enhance the security of cardholder data. The most poignant of these requirements in terms of large file transfer are:
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Requirement 6: Develop and maintain secure systems and applications.
- Requirement 9: Restrict physical access to cardholder data.
- Requirement 10: Track and monitor all access to network resources and cardholder data.
Companies that do not comply with PCI DSS are liable to incur operational and financial consequences enforced by the individual payment brands. To find out more about how to become PCI Compliant, please click here.
Alternatively, if you’d like to find out more about the secure file transfer solutions in our portfolio that will help you to achieve PCI compliance, please contact Pro2col on 0333 123 1240.
US Data Security Legislation
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is the abbreviation of ‘The Health Insurance Portability and Accountability Act’. It is a US federal law governing the protection and privacy of sensitive, patient health care information. Proposed in 1996 by Congress, HIPAA was finally brought into enforcement by the Department of Health and Human Services (HHS) in 2001.
The objective of HIPAA is to encourage the development of an effective health information system. Likewise, the standards introduced must strike a balance between efficiently transmitting health care data to ensure quality patient care, whilst enforcing all necessary measures to secure personal data. This goal was achieved by establishing a set of standards relating to the movement and disclosure of private health care information.
HIPAA incorporates administrative simplification provisions, designed to help with the implementation of national standards. As such, HIPAA is broken down into 5 core rules and standards. The HHS assigned government bodies, such as the OCR (Office for Civil Rights) and CMS (Centers for Medicare & Medicaid Services) to organise and enforce these rules and standards. The OCR was assigned to administer and enforce the Privacy Rule and more recently, the Security Rule. CMS implements and governs electronic data exchange (EDI) including Transactions and Code Set standards, Employer Identification Standards and the National Identifier Standard.
HIPAA Rules and Standards
Privacy rule: Addresses the appropriate safeguards required to protect the privacy of personal health information. It assigns limits and conditions concerning the use and disclosure of personal information held by healthcare organisations or any other businesses affiliated with these organisations.
Security Rule: The Security Rule complements the Privacy Rule but focuses specifically on Electronic Protected Health Information (EPHI). It defines three processes where security safeguards must be implemented to ensure compliance: administrative, physical, and technical.
Transactions and Code Set Standards: In this instance, the term transactions, refers to electronic exchanges involving the transfer of information between two parties. HIPAA requires the implementation of standard transactions for Electronic Data Interchange (EDI) of health care data. HIPAA also adopted specific code sets for diagnosis and procedures to be used in all transactions.
Employer Identification Standards: HIPPA requires that employers have standard national numbers that identify them on all transactions – The Employer Identification Number (EIN)).
National Identification Standards: All healthcare organisations that qualify under HIPAA legislation, using electronic communications must use a single identification number (NPI) on all transactions.
What are the implications of HIPAA in terms of file transfer?
To ensure compliance with HIPAA in terms of large file transfer, Healthcare organisations must:
- Protect the privacy of all individually identifiable health information that is stored or transmitted electronically.
- Limit disclosures of protected health information whilst still ensuring efficient, quality patient care.
- Enforce stringent requirements for access to records.
- Implement policies, procedures and technical measures to protect networks, computers and other electronic devices from unauthorised access.
- Effectuate business associate agreements with business partners that safeguard their use and disclosure of PHI.
- Update business systems and technology to ensure they provide adequate protection of patient data.
Our specialists at Pro2col can help you to source and implement a HIPAA compliant, secure file transfer solution to suit your business requirements. Please contact us on 0333 123 1240 for more information.
Sarbanes Oxley (SOX)
The Sarbanes Oxley Act is a US federal law, enacted on 30th July 2002, governing financial reporting and accountability processes within public companies. The legislation was brought into force as a safeguard, following a succession of corporate accounting scandals, involving a number of high profile organisations. These companies purposefully manipulated financial statements, costing investors billions of dollars.
Sarbanes Oxley (SOX) contains 11 titles, detailing specific actions and requirements that must be adopted for financial reporting, ranging from corporate board responsibilities to criminal penalties incurred as a consequence of non-compliance. The most significant of these titles in terms of data transfer is section 404.
Sarbanes Oxley Standards
Section 404 states companies governed by SOX are required to:
- Publish information in their annual reports, stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, detailing the scope and adequacy.
- Include an assessment of the effectiveness of internal controls.
What are the implications of SOX in terms of file transfer?
In order to provide this information and ensure compliance with US law, public accounting companies must implement large file transfer processes that ensure:
- The accurate recording of all financial data, including auditing logs.
- Regulate access to and modification of all financial data by unauthorised users.
- Track activity of data as it crosses application and organisational barriers.
Our specialists at Pro2col can help you to source and implement a SOX compliant secure file transfer solution to suit your business requirements. Please contact us on 0333 123 1240 for more information.
The Gramm-Leach-Bliley Act of 1999, also known as The Financial Modernisation Act, details regulations that financial institutions must be adhered to, in order to protect consumers’ financial information. The GLBA law governs all financial institutions that hold what is classed as ‘personal data’ including, insurance companies, security firms, banks, credit unions and retailers providing credit facilities.
Gramm-Leach-Bliley Rules and Provisions
The privacy requirements set out in GLBA are broken down into three distinct elements; the Financial Privacy Rule, Safeguards Rule and Pretexting Provisions.
The Financial Privacy Rule – Governs the collection of consumer’s private financial data by financial institutions, also including companies that deal which such information. It requires all financial institutions to provide privacy notices to their customers prior to the establishment of a relationship. Such privacy notices should also detail the institutions’ information sharing practices and give consumers the right to limit the sharing of their information in certain instances.
The Safeguards Rule – requires all financial institutions to record and implement a security plan that protects the confidentiality of their customer’s personal data.
The Pretexting Provisions – Pretexting refers to the use of unsolicited means, in order to gain access to non-public, personal information e.g. impersonating an account holder on the phone to obtain personal details. GLBA requires those governed by the law, to implement adequate provisions to safeguard against Pretexting.
What are the implications of Gramm-Leach-Bliley in terms of file transfer?
In order to comply with GLBA when transferring sensitive data, financial institutions must ensure that they;
- Prevent the transmission and delivery of files and documents containing non-public personal information to unauthorised recipients.
- Document delivery and receipt is enforced through enterprise-defined policies.
- Provide detailed logs and audit trails of content access, authorisation, and used.
Our specialists at Pro2col can help you to source and implement a GLBA compliant, secure file transfer solution to suit your business requirements. Please contact Pro2col on 0333 123 1240 for more information.
Federal Information Processing Standards (FIPS)
Federal Information Processing Standards (FIPS) are a series of standards, outlining the requirements that IT products must satisfy, to be acceptable for use by US Federal government agencies and contractors. Developed by the National Institute of Standards for Technology (NIST), the process of FIPS validation ensures that technology products are rigorously tested and deemed sufficiently secure enough to deal with sensitive data.
There are a number of different FIPS standards including 186-2 – Digital Signature Standard, 190 – Guideline For The Use Of Advanced Authentication Technology Alternatives, 197 – AES etc. but by far the most significant standard in terms of secure data transfer is FIPS 140:
FIPS 140 defines the requirements and standards that must be met by cryptographic modules (components) used in computer hardware and software solutions. As IT solutions are used in different departments and environments, the scope of cryptographic requirements imposed by FIPS has been broken down into eleven distinct areas and four increasing, qualitative security levels. They are as follows:
- Cryptographic module specification (what must be documented).
- Cryptographic module ports and interfaces (what information flows in and out, and how it must be segregated).
- Roles, services and authentication (who can do what with the module, and how this is checked).
- Finite state model (documentation of the high-level states the module can be in, and how transitions occur).
- Physical security (tamper evidence and resistance, and robustness against extreme environmental conditions).
- Operational environment (what sort of operating system the module uses and is used by).
- Cryptographic key management (generation, entry, output, storage and destruction of keys).
- EMI/EMC (electromagnetic interference/electromagnetic compatibility).
- Self-tests (what must be tested and when, and what must be done if a test fails).
- Design assurance (what documentation must be provided to demonstrate that the module has been well designed and implemented).
- Mitigation of other attacks (if a module is designed to mitigate against, specific attacks then its documentation must say how).
If you are purchasing a FIPS accredited solution, you can rest assured the product has been rigorously tested and is physically secure enough to protect your sensitive data.
Our specialists at Pro2col can help you to source and implement a FIPS accredited, secure file transfer solution to suit your business requirements. Please contact Pro2col on 0333 123 1240 for more information.