Data Security Standards Background
Technology evolves continuously, resulting in potentially faster processing daily which has led to a work environment driven by this continuous evolution. Gone are the times when we only had to secure physical media, now we are now forced to manage online processes, and their associated security, including the movement and placement of data – File Transfer.
No longer can data in transit be assumed to be secure and today it is imperative to overtly secure that data as it is not only the smart thing to do, it is also required to comply with the many different laws that govern the processing and storage of personal information. Failure to comply with these laws can and does have significant financial and perception issues for corporations in the event of a breach.
The Data Protection act of 1998, commencing on March 1st, 2000, was introduced to control how the information of UK citizens is used by organizations, businesses or the government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’ that ensure the information is:
- used fairly and lawfully
- used for limited specified purposes and should not be used beyond the scoped of these stated purposes
- used in a way that is adequate, relevant and not excessive relative to the purposes they were collected for
- accurate and current where appropriate
- kept for no longer than is necessary its stated purpose
- handled in accordance with the rights of the individual to which the information pertains
- be kept safe and secure and protected from unauthorized or unlawful processing or destruction of personal data
- not be transferred outside the European Economic Area without adequate protection
The principal outlined within the Data Protection Act, applicable to the implementation of secure file transfer provisions states that:
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
UK law demands that all organizations must ensure that appropriate security is in place for the storage and processing of personal data.
Federal Information Processing Standards (FIPS) are a series of standards, specifying the best practices and security requirements that IT products must satisfy, to be acceptable for use by Federal Government agencies and contractors. The process of FIPS validation ensures that technology products are rigorously tested to be considered secure enough to deal with sensitive data.
FIPS 140 defines the requirements and standards that must be met by cryptographic modules (components) used in computer hardware and software solutions. The complexity of the deployment of IT solutions has resulted in the scope of cryptographic requirements imposed by FIPS being broken down into eleven distinct areas and four security levels. They are as follows:
- Documenting cryptographic component specification.
- Flow of information across ports and interfaces, both inbound and outbound
- Defining access roles and authentication
- Finite state model (documentation of the high-level states the module can be in, and how transitions occur).
- Physical security (resistant to physical as well as environmental tampering).
- Operating system environment.
- Cryptographic key management (creation, generation, output, storage and destruction of keys).
- EMI/EMC (electromagnetic interference/electromagnetic compatibility).
- Self-tests (what and how often to test and recourse).
- Design assurance documentation.
- Documentation to mitigation of other attacks.
GDPR, or General Data Protection Regulation, is new to the EU from May 25th, 2018. It specifies guidelines for collecting, handling and using personal data. The regulations reinforce individuals’ rights, to give them back control, with the goal of restoring confidence and strengthening the EU internal market.
While the GDPR is extremely lengthy, containing 99 articles relating to all aspects of data protection, the key messages are summarized below:
Data Protection by Design and by Default. Effective data protection practices and safeguards must be built from the very beginning of all processing, in the design phase. The default collection mode must be to gather only the personal data that is necessary for a specific purpose.
Data Protection Principles. Personal data must be processed according to the six data protection principles of transparency, legitimacy, relevance, necessity, accuracy and with appropriate security, integrity and confidentiality.
Data Storage, Accessibility and processing. Requires a governance structure, implementing appropriate measures to secure personal data, as well as regular audits.
Data Protection Impact Assessments (DPIA). These are required for high-risk processing operations, documenting the information flow, identifying the data protection and related risks and the proposed solutions to protect the data or eliminate the risks.
Lawful Processing. There needs to be a lawful basis for any processing of personal data, such as direct consent from the individual, protecting the interests of the individual, legal obligations of the organization and necessity for public interest.
Consent. Obtaining consent must follow strict guidelines. It must be freely given, specific, informed and unambiguous, and can be withdrawn at any time. Silence should not be considered as consent.
Enhancement of individuals rights. Individuals have the right to object, have inaccurate information corrected, and have personal information erased in certain cases.
Subject access request (SAR). A data subject has the right to request all personal data held by a data controller pertaining to that subject through subject access requests.
Data Portability. Individuals have the right to move personal data from one service provider to another.
Privacy Notices. Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.
Data transfers outside the EU. Personal data may only be transferred out of the EU where the EU has designated a country as providing an adequate level of data protection or through corporate binding rules or through compliance with an approved certification mechanism, e.g. EU-US Privacy Shield.
The Gramm-Leach-Bliley Act of 1999, also known as The Financial Modernization Act, details regulations that financial institutions must adhere to, to protect the personal data of individuals. The GLBA’s privacy protections only regulate financial institutions – businesses that are engaged in banking, insuring, stocks and bonds, financial advice, and investing.
Gramm-Leach-Bliley Rules and Provisions
The privacy requirements set out in GLBA are broken down into three distinct elements:
- The Financial Privacy Rule.
- The Safeguards Rule.
- Pretexting Provisions.
The Financial Privacy Rule. Requires financial institutions to provide each consumer with a privacy notice explaining the information collected about the consumer, and where and how it will be used and shared. The notice must also identify the consumer’s right to opt out of the information being shared.
The Safeguards Rule. Requires financial institutions to develop a written information security plan describing its processes and procedures for protecting clients’ personal data.
The Pretexting Provisions. GLBA requires those governed by the law, to implement adequate provisions to safeguard against Pretexting, accessing private information using false pretenses
What are the implications of Gramm-Leach-Bliley in terms of file transfer?
To comply with GLBA when transferring sensitive data, financial institutions must ensure that:
- personal information is not transmitted to unauthorized recipients
- document delivery and receipt are enforced through company-defined policies
- they provide detailed logs and audit trails of who accesses personal data
HIPAA, the “The Health Insurance Portability and Accountability Act” is a US federal law regulating the protection and privacy of sensitive, patient health care information. Proposed in 1996 by Congress, HIPAA was finally brought into enforcement by the Department of Health and Human Services (DHHS) in 2001.
HIPAA was designed to improve, “the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”
The HIPAA regulations established standards and procedures within the realm of health information transmission. The regulations had two goals:
- to improve the accessibility of health care information
- to protect patients’ rights to privacy of this information.
HIPAA is comprised of several rules which serve to aid organizations (and individuals) in maintaining compliance standards and safeguard sensitive information:
Privacy– Protects patient records and personal health related information, including plans, clearinghouses and all other health record keeping entities that utilize electronic data transfer systems.
Security– Ensures integrity, confidentiality and security of patient health records by requiring specific physical, technical and administrative safeguards prior to electronic transmission of records.
Breach Notification– Requires those covered under HIPAA to advise patients when a security breach of their unsecured health information has occurred.
The Enforcement Rule– Imposes financial and criminal penalties on all organizations, businesses and other health care related entities that fail to adhere to the rules and regulations.
What are the implications of HIPAA in terms of file transfer?
To ensure compliance with HIPAA in terms of large file transfer, Healthcare organizations must:
- Protect the privacy of all PHI (Protected Healthcare Information) that is stored or transmitted electronically
- Implement policies, procedures and technical measures to protect networks, computers and other electronic devices from breach.
- Update business systems and technology to ensure they provide protection of patient data, using a file transfer solution that supports the HIPAA requirements.
ISO 27001 is an international standard published by the International Standardization Organization (ISO), that describes how to manage information security in a company. The latest revision of this standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of the standard was published in 2005, and it was developed based on the British standard BS 7799-2.
ISO 27001 provides a methodology for the implementation of information security management in an organization.
ISO 27001 Standards
The ISO 27001 standard is an optional certification that provides a structured approach when implementing an Information Management System. Most of the ISO 27001 implementation outlines setting the organizational rules that are needed to prevent security breaches. Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS).
ISO 27001 that management with an organization must:
- set their business expectations (objectives) for information security
- publish a policy on how to control whether those expectations are met
- designate main responsibilities for information security
- provide enough money and human resources
- regularly review whether all the expectations were really met
What are the implications of ISO 27001 in terms of secure file transfer?
For organizations that have adopted the ISO 27001 Information Security Management standard, implementation of any secure file transfer solution must adhere to the implemented IMS. Specific attention should be paid to sections A.10.8 Exchange of information, A.10.9 Electronic commerce services and A.10.10 Monitoring to ensure they have the features required to meet the IMS standards.
The Sarbanes Oxley Act of 2002 came about because of the corporate financial scandals involving major corporations. Effective since 2006, all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance. In addition, certain provisions of Sarbanes-Oxley also apply to privately-held companies.
The Sarbanes-Oxley Act not only affects the financial side of corporations, but also IT departments charged with storing a corporation’s electronic records. The act is not a set of business practices and does not specify how a business should store records, rather, it defines which records should be stored and for how long. SOX states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.”
Sarbanes Exley (SOX) contains 11 titles, detailing specific actions and requirements that must be adopted for financial reporting. The most significant of these titles in terms of data transfer is section 404 which states companies governed by SOX are required to:
- publish information in their annual reports, regarding the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, including the scope and adequacy.
- include an assessment of the effectiveness of internal controls.
What are the implications of SOX in terms of file transfer?
Public accounting companies must implement secure file transfer processes that ensure:
- that all financial data, including audit logs, is recorded
- access to financial data by unauthorized users is regulated
- movement of data is tracked