» 

Blog

Improving PCI Compliance by Understanding Common Mistakes Organizations Make during an Audit

Linoma Software, a leader in providing enterprise-class security and managed file transfer solutions, announced today a free webinar titled, "How to Improve Your PCI Compliance: Avoiding the Common Mistakes of a PCI Audit", on Wednesday, May 25, at 12:00 PM Central Time.  The webinar will offer expert advice from Alan Sabatka and Bob Huerter from Continuum Security Solutions.

PCI Audit - CompliantThe event is ideal for any organization handling credit and debit card transaction data, and anyone responsible for `their organization's compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements. This informative webinar will specifically cover:

  • The PCI audit process
  • Common misconceptions and business mistakes
  • Best practices for meeting PCI requirements

The event has been recorded and available for on-demand viewing here.  


About the Continuum Worldwide

Continuum Worldwide Corporation, DBA Continuum Security Solutions, is an information security company, engaged in all phases of compliance, assessments, governance, digital forensics, and incident response. With expertise developed through decades of real-world experience, our consultants take a holistic approach to clients' risk. We help clients recognize threats, evaluate potential impacts and create individually tailored programs that transform their ability to manage exposure to future detrimental activities.


Free FTP Server and Client Helps Businesses Improve Security and Audit File Transfers

GoAnywhere MFT's integrated FTP Server and Client for automating and auditing file transfers is now available as a Free Edition of the enterprise-class Managed File Transfer solution. 

GoAnywhere Managed File Transfer Free FTPThis free FTP software can be installed on a variety of platforms including Windows, Linux, Mac OS, UNIX and IBM i, providing flexibility to organizations of all sizes.  GoAnywhere MFT improves FTP security with features like AD authentication, granular folder permissions, password policies to comply with PCI DSS, brute force and DoS attack monitors, and IP blacklists/whitelists.

"Legacy FTP servers are lacking the security controls, user management and detailed audit logs needed to comply with regulations like PCI DSS and HIPAA" says Bob Luebbe, Chief Architect at Linoma Software.  "With the free edition, any organization can now take advantage of the comprehensive FTP features in GoAnywhere MFT."

Using the free FTP client from GoAnywhere, organizations can add automation to their file transfers.  The ability to schedule transfers and scan for new or modified files on local or remote systems reduces manual processes and the risk of human error.  This saves time and money while improving productivity through reliable data delivery.

The GoAnywhere FTP server makes it possible to set access controls and generate detailed audit logs on all file transfer activity.  This offers a layer of regulatory and policy compliance to organizations currently using FTP to exchange files with trading partners.

GoAnywhere MFT is an on-premise solution that provides centralized control over data access. There are no upfront costs or renewal fees for this fully scalable FTP solution. GoAnywhere MFT can be easily upgraded to meet the changing needs of any business through the purchase of secure file transfer protocols, integrated Open PGP encryption, advanced workflows and in-depth reporting.

This free software installs in minutes and is available for download from the GoAnywhere website at http://www.goanywhere.com/free-ftp.


5 Signs Your Organization is Ready for MFT

Managed File Transfer Levels the Playing Field for SMB

Low-cost file transfer tools allow mid-market businesses to make simple data exchanges both internally and externally.  As your company grows, however, trading partners demand enterprise-level systems to improve reliability and data security. 

cityscape - mft readyManaged File Transfer (MFT) emerged to reduce the cost and programming skills required for you to meet customer requirements and stay competitive in the marketplace. According to an Info-Tech Research Group report on selecting and implementing an MFT solution, there are five signs that indicate your organization could benefit from this technology.

  1. A need for transparency and traceability in file exchange activities
  2. New business relationships mandate adherence to compliance laws and privacy regulations
  3. Traditional methods of sending data, such as FTP, aren't secure
  4. Processes need to be more agile and adapt to changing network conditions
  5. The inability to comply with government reporting requirements

MFT provides comprehensive audit trails and monitoring to document all file transfer activity. Reports generated from this data show every interaction with the files on your server in great detail and allow you to better serve customers by responding quickly when problems do arise.

When security and reporting tools are needed to meet strict regulatory compliance standards of even highly-regulated industries, MFT delivers.  These include the data protection and integrity requirements found in PCI DSS, GLBA, SOX, Dodd-Frank and state privacy laws.

In light of recent high profile data breaches, many organizations have chosen to reduce their risk by seeking alternatives to unsecure FTP.  MFT gives you the flexibility to connect with trading partners using secure protocols and popular encryption methods like SFTP, FTPS, HTTPS, AS2, Open PGP and ZIP with AES.

In addition, automation and simplified workflows offered in many MFT solutions streamline the process of adding and onboarding trading partners. Companies can reduce or eliminate time spent on manual file exchanges and interrupted file transfers, thus reducing administrative costs and assuring the timely delivery of mission-critical data.

To explore MFT further, download this useful checklist to help in your evaluation of vendors and find the best solution for your organization.


Could your FTP server pass a compliance audit?

data security compliance auditIf an auditor showed up in your office tomorrow and wanted to examine your file transfer security policies and procedures, how confident are you that your organization would earn high marks?

Take this short quiz and find out.

  1. Are you still hosting an outdated SFTP or FTP server in the public area of your network (or DMZ)?
  2. Do trading partners have access to inbound ports within your internal network to drop off or retrieve files?
  3. Are your administrative security controls granular enough to manage user access to specific files, folders and areas of the network?
  4. Can you monitor all file transfer activity and maintain detailed audit logs?
  5. Do employees have easy access to an ad hoc file transfer tool that lets them transfer files of any size, all while generating audit trails?

To find out how auditors expect you answer these questions, don't miss our next webinar:

Get Your FTP Server Into Compliance
Thursday, July 18 at Noon Central

Linoma Software's Chief Architect Bob Luebbe will show you how the GoAnywhere Services secure FTP server can work with GoAnywhere Gateway to keep sensitive data and credentials safely in your internal network and out of the DMZ.  He'll also demonstrate how the two work together to allow you to exchange files with trading partners without opening inbound ports.

Do your homework so you can prepare for a visit from the auditor.  Sign up today!  


How Important is Auditing Your File Transfers?

When you send someone a file via FTP, how do you know -- and later prove -- that it was successfully sent?

It might be possible to save a screen shot as long as the process was simple and you can see all the commands on a single screen.  But what if your commands start getting complex? And if you start sending quite a few files every day, how do you organize all these screen shots so that you can easily retrieve proof 2 1/2 weeks from now. What about 2 1/2 years from now?  Believe me, I've been there and it's no picnic.

Why should you care what files you sent two-and-a-half years ago anyway?  To begin with,  it's the law½ for most of us anyway.  Most businesses are required by law to maintain an audit trail of any files that hold personally identifiable information in the data.  Still, we shouldn't do it just because it is the law, we should do it because it's is a good business practice to protect and track the movement of all business information.

How to Audit

The screen capture option is probably the worst-case scenario in maintaining an audit trail of all your FTP transactions.  It makes sense to look into better tools to manage your FTP processing that make it easier and safer to prove the files have been sent or received from the correct locations.

In most windows-based FTP tools, whether free or purchased, there are options to maintain a log of all your transactions.  Here's an example of GoAnywhere Director's job log that shows the status of your file transfers, and allows you to drill down further into each job to find out even more.

managed file transfer, secure file transfer, audit logs

Other FTP software solutions have similar settings.  Logging your transactions provides the audit trail you need to prove that you have done your part in sending or retrieving the files.  Managed file transfer solutions, in addition to providing necessary file transfer security, provide an even better audit trail by logging exactly who sent or received the files.

Bottom line: Your FTP audit logs should be easy to find and understand just in case you are audited 2 1/2  years from now.


Compliance and Regulations for Sensitive Data Transfers

Secured ComputerHighly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data.  For instance:

  • PCI DSS requires that credit card numbers are encrypted while "at rest" and "in motion".  Failure to do so can result in severe fines and potential loss of your merchant account.
  • HIPAA requires that healthcare records are secured to protect the privacy of patients.
  • State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Related Blog: PCI DSS v2.0