Surveys indicate that many companies fail IT audits of both internal company policies and external regulatory frameworks (i.e., HIPAA, PCI-DSS, ITAR, etc.). Yet avoiding such failures is critical in light of the vast number of external threats such as hacks that occur almost daily. At the same time, employees can pose problems, whether knowingly or not.
In fact, employees are both your greatest asset and your biggest threat. Problems around employee access to data can be summed up by the following CIO quotes.
- “We have policies and procedures in place. It is up to employees to follow those policies.”
- “I don’t think we have rogue employees.”
- “We’re sticking our heads in the sand right now.”
Not believing or acknowledging that you have rogue employees would not be described as a best practice. As Vince Lombardi once said: “Hope is not a strategy.” Instead, proactively establishing measurable and repeatable policies and procedures is key to ensuring effective access control, especially if you must satisfy auditors or regulators. Here are three proven steps for doing just that:
1. Establish policies and procedures that focus on managing who has access to what data.
Start by identifying the regulations your company must adhere to, typically dictated by your business/legal teams. For example, retailers need to conform to Personal Credit Information – Data Security Standard or PCI-DSS, and SOX (if they are publicly traded in the US). For international companies, understanding local privacy laws and regulations is paramount. For example UK privacy laws make it a violation to ‘export’ employee information – including LDAP or in-house employee employment data – outside of the British Isles (this pertains to something as simple as cloud storage in say Germany) without explicit written release from the employee.
2. Once the ‘regs’ are identified, determine the latest version and if or when updates are coming. For example, the current version of PCI-DSS is 2.0 and 3.0 is under development. The updates are attempting to adapt to the changing world and new cyber threats. HIPAA used to be only the concern of the healthcare firms. However, with expansion of HIPAA-HITECH’s new mandates in 2013, 2014, and 2015, most companies conducting business in the United States will need to develop and maintain privacy policies. Ignorance of the law is not a sustainable defense.
3. IT should keep track of users’ activities with a complete and easily accessible journal and audit log. In part, this is as simple as using a Managed File Transfer (MFT) solution to automatically record every user action or workflow in an auditable tamper-proof log.
In my next post, I’ll outline what organizations need to know to design their MFT system to satisfy today’s and tomorrow’s regulatory requirements. Meantime, check out our white paper on how managed file transfer provides a robust compliance solution for financial services organizations.