In my last post, I covered common regulations, who is affected, and what is required from a file transfer standpoint to satisfy them. In this post, I explain three steps your organization can take to make sure your file transfers satisfy regulatory requirements.
- Characterize the types of file transfers your firm does as part of its day-to-day business.
Most firms are dependent on file transfers to get work done. For example, healthcare organizations send patient billing information to Medicare, financial firms confirm equity trades, and airlines schedule delivery of on-board food with their vendors. The first two require by law secure file transactions and an audit log of activities. While the third file transfer isn’t impacted by any regulation, best practice is to secure the information being exchanged.
- Craft policies and procedures to ensure your file transfer activities are in compliance.
Lay out your workflows, focusing on the data and file transfers identified in step one above. Where is your data at risk? When undertaking your planning, addressing and defending against both internal and external threats is a critical part of the process. Hackers make the news but rogue employees can potentially cause damage over extended time frames and across your firm’s entire operations.
- Educate your people on the why’s and how’s of the policies and procedures.
Many companies fall short on the operational execution of regulatory compliance. A significant cause of failure is poor communication. People respect policies when they understand their purpose and what they are defending against and the consequences of failure. For example, companies with dual-use technology, governed by ITAR, can lose their ability to export or do business if their products are sold to restricted countries. Imagine the impact to your organization if you lost 100% of your non-US revenue. Moreover, responsible individuals could go to jail. Other impacts are monetary fines of thousands of dollars. Or consider if a retailer exposes its customer credit information. The real impact is not the financial penalty. The potentially devastating impact is the loss of existing and future customers who lose trust in the firm’s brand and reputation.
In addition to spelling out the potential consequences of non-compliance, reinforce the use of existing file-transfer workflows, assuming you have designed these with compliance in mind.
Ensuring compliant file transfers
By taking these three practical steps, you can minimize the likelihood that your company’s file transfers will put the organization at risk of non-compliance with both internal policies and external requirements.
In addition, you can take advantage of Managed File Transfer (MFT) to more easily address compliance issues around a variety of regulations. MFT helps ensure sensitive information is protected during transfer. Leading MFT solutions also enable robust user access control. The user access control ensures only those who should ‘see’ sensitive data are able to. Plus, such solutions keep a journal of activities and historic audit logs. Together these features enable firms to meet their compliance needs by demonstrating governance around who has access to private data (e.g., credit card information) and demonstrate who accesses what and when.
We welcome any other suggestions for ensuring compliance when it comes to file transfers. Share your thoughts in the comments!