» 

Blog

Posts Tagged with "COMPLIANCE"

Introducing Kathryn Anderson from Backbone Consultants

July is fast approaching, and with it our latest webinar on cybersecurity, Lessons from the Field: 7 Steps to Proactive Cybersecurity. This engaging, hour long session will cover seven lessons organizations should use to build security awareness and protect sensitive company data.

Who’s speaking? Expect powerful discussion between Bob Erdman, Security Product Manager at HelpSystems, and a very exciting guest speaker—Kathryn Anderson of Backbone Consultants.

Meet Kathryn Anderson

Kathryn Anderson is a Senior Manager of IT Risk and Compliance. She comes to Backbone Consultants—and our webinar—with over a decade of relevant business and security knowledge.

As part of her role in IT Risk and Compliance at Backbone Consultants, she consults with businesses on needs they have and identifies security opportunities they may not realize they have. She helps them “understand what their risks are as an organization from a reputation standpoint, from a financial standpoint, from an operations standpoint, and find those opportunities they may not be looking at.” By studying the whole picture, she can give each company a complete overview of their institution and make suggestions for improvement.

We recently had the opportunity to sit down with Kathryn Anderson and learn about her background and security goals. “I started my career in Identity and Access Management. I fell into it and found, very quickly, that I absolutely loved it,” Anderson told us. “There are so many components of security that help organizations and their customers keep data safe, which is what attracted me to security as I delved into the Identity and Access Management part of it.”

Anderson’s first introduction to security was at TCF Bank, where she worked in an Identity and Access Management role doing user attestations and term and transfer lists. As her responsibilities evolved, she began to identify areas where the security department could use tools to automate business processes, like employee termination from central applications.

Finding these opportunities for improvement helped Anderson understand the importance of developing strong cybersecurity practices. “The purpose of this job really has a lot of value. If you have a system ID that’s just sitting out there and isn’t being used, and a terminated employee has access to some sort of information, it could put your data at risk. Understanding what security was helped elevate my career path,” she said.

After seven years at TCF Bank, Anderson accepted a position in Risk and Governance at General Mills, where she spent a majority of her time developing programs on Security Awareness and Third Party Vendor Assessment. She focused on security education, too, ensuring General Mills employees not only understood security best practices, but also felt empowered to protect data at work and at home.

Kathryn Anderson’s passion and interest in business security makes her a valuable guest speaker, and we’re excited to hear more from her in the upcoming weeks. She’ll also share her thoughts on the importance of proactive cybersecurity during our July 26 webinar. The event is open to everyone, but it should especially interest those who want to learn how to implement a security awareness program or manage resources in their organization.

About Backbone Consultants

Located in Minnesota, Backbone Consultants has provided clients with end to end cybersecurity services and compliance since 2008. Their services include IT audit and compliance, cybersecurity, data privacy, and technical training. Comprised of a strong professional team, Backbone Consultants work with companies to tackle business needs and identify areas of improvement in how they develop and manage their IT assets.

You can learn more about Backbone Consultants at their website.

Webinar Details

Lessons from the Field: 7 Steps to Proactive Cybersecurity

Wednesday, July 26, 2017

11 am - 12 pm CT

Don’t miss out! Register now to join the discussion.


Are You Ready for the 2018 PCI DSS Deadlines?

PCI DSS 2018 deadlines

Sometime last year you achieved total compliance with PCI DSS, the information security standard for all organizations that process credit or debit cards. That means your data is safe, the auditors will leave you alone, and you can kick back and relax, right?

Unfortunately, hackers don’t take breaks. Their methods are constantly evolving, making it essential that you are compliant with the latest security standards. Fortunately, PCI DSS is designed to ensure that you know exactly what to do to stay ahead of new threats. Staying PCI DSS compliant also lets you avoid hefty fines.  

The latest version of PCI DSS is version 3.2, which was announced in April 2016. Hopefully you’ve already seen the new rules and are taking steps to improve your security. You should be aware that some major PCI DSS compliance deadlines are approaching in 2018.

Although PCI DSS 3.1 technically expired in October 2016, all new requirements in version 3.2 will be considered best practices until 2018, when they’ll become mandatory. Here are some of the most important changes:

 

Multi-Factor Authentication (Best Practice Now, Mandatory February 2018)

PCI DSS version 3.1 called for two-factor authentication. Don’t worry about the name change to multi-factor authentication—it’s just to clarify that more than two types of authentication are possible. The more important update is that the requirement is expanded to include all individual non-console administrative access as well as all remote access to the cardholder environment (CDE).

That means that for any potential CDE access points, including through tools like your managed file transfer solution, you need to have multi-factor authentication either at the network or the system level.

 

TLS 1.1 or Above (Best Practice Now, Mandatory June 2018)

SSL and its immediate successor, TLS 1.0, are no longer considered strong encryption methods. Originally, the new PCI DSS requirement mandated that every organization migrate to TLS 1.1 and above (ideally TLS 1.2) by June 2016. This deadline was later pushed out to June 2018.

However, if you’re using SSL or early TLS, you should know that you’re not using current security best practices. We recommend that you move your file transfers to a stronger encryption method as soon as possible.

 

PCI DSS 3.2Get the Full Scoop

In order to help you fully understand the changes to PCI DSS 3.2, especially how they relate to managed file transfer, we’ve created a new whitepaper. Download it to learn:

  • Who needs to comply with PCI DSS 3.2
  • What has changed since version 3.1
  • How PCI DSS compliance affects your file transfer processes and solutions

Get the Whitepaper

 


Take the PCI DSS Quiz, Win a Free Tablet!

With the looming 2018 compliance deadlines and the constant news of data breaches, PCI DSS is on the minds of IT and cybersecurity professionals around the world. For organizations that reached compliance within the last year, you may be surprised to know that only 29% of companies are compliant a year after validation.

As processes, partners, and staff shift within an organization, keeping track of the measures required to maintain compliance can be difficult. The first step in becoming or maintaining PCI DSS compliance is understanding the requirements, and how they apply to your organization.

How well do you understand the PCI DSS requirements? 

Find out by taking this fun, interactive quiz for the chance to win a free Google Pixel C. That’s right, one lucky winner will be selected at random to win a free tablet just for taking the quiz.

 

So what are you waiting for? Test your PCI DSS skills below.

 

 

 

 

 


Get the Guide: Achieving HIPAA Compliance with GoAnywhere MFT


Are your file transfers HIPAA compliant? Is your healthcare organization at risk for fines, or worse - a data breach of sensitive patient information? Many health IT teams meet these questions with unease.

Fortunately, GoAnywhere is here to help.

HIPAA (the Health Insurance Portability and Accountability Act) protects the confidentiality, integrity, and availability of electronic health information. For any IT professional working in the healthcare industry—or for a company that does business with healthcare organizations—HIPAA is a concern. Compliance is strictly enforced, with penalties including substantial fines and, in rare cases, even prison sentences.

HIPAA is dedicated to protecting patient health information, but cybersecurity is only a portion of what the law covers and HIPAA’s security standards were not written for an IT audience. Avoiding specific technical language means the law changes with the times and allows organizations to adopt new technologies that help them meet HIPAA requirements. This approach provides flexibility, but it also makes HIPAA compliance challenging—IT professionals have to translate HIPAA into IT terms to determine what steps they need to take to become compliant.

Patient care involves constantly exchanging and updating electronic records, making file transfers a potential area of security vulnerability. GoAnywhere MFT protects valuable personal data while simplifying HIPAA compliance.

We’ve put together a guide that demonstrates how GoAnywhere MFT addresses several key HIPAA requirements. For example, GoAnywhere prevents unauthorized access by authenticating users and passwords with a variety of techniques including database authentication, LDAP, and Active Directory. Audit trails are generated to document if unauthorized attempts are made to alter or delete documents.

 

Download the guide to learn more about how GoAnywhere makes HIPAA compliance easy.

 

 

 

 

 

 


Take a Proactive Approach to New PCI DSS Standards

For some organizations, the 36 month lifecycle of new Payment Card Industry Data Security Standards (PCI DSS) can be a grueling schedule to tackle. With the release of PCI DSS 3.2 just around the corner, many organizations are trying to estimate the effort required to remain compliant. Wouldn't it be nice if there was a way to predict what was on the minds of the folks on the PCI Security Standard Council before the new standards were released? Well, there just might be a way.

In June, 2015, the Council published a document called The PCI DSS DESV (Designated Entities Supplemental Validation). Inside that document are "extra requirements" which apply to entities requiring "additional validation". These could be organizations that deal with Payment Card Data in large volume, serve as an aggregation point for cardholder data, or suffered significant or repeated breaches.

As folks in the world of security know, defense in depth is a rule we all live by. Extraordinary soon becomes ordinary. Exceptional soon becomes standard. Supplemental soon becomes required.

PCI DSS compliant future versionsThrough the DESV, it's possible to glimpse the future of PCI DSS.  By implementing these controls and processes, your organization gains even more protection than what is currently and commonly required. By doing so, you can prepare - to some extent - for the surprises lurking down the road. At the very least, your processes will be better defined and your controls will be more secure. Implementing best practices early could give you the competitive edge you need to respond quickly when those practices become required.

This idea is based on more than just speculation. In a Council blog, "Preparing for PCI DSS 3.2: What to Expect in 2016", posted on February 17, 2016, chief technology officer Troy Leach eluded to some updates in the standard they were considering, which included the following:

  • Multi-factor authentication for administrators
  • Incorporating some of the DESV criteria for service providers
  • Clarifying masking criteria for primary account numbers when displayed
  • Updating migration dates for SSL/early TLS that were published in December 2015

As a developer of enterprise managed file transfer and encryption solutions, Linoma Software remains vigilant in keeping up with the latest PCI DSS standards so we can help organizations to protect their most sensitive data assets and meet compliance requirements.


SHA-2 and TLS Security for AS2 Transfers

2016 is a pivotal year for organizations to upgrade the security used to protect their AS2 data transfers. In order to be compliant with the latest security standards, you need to be using a modern AS2 solution.

The End of SHA-1

SHA-1 (Secure Hash Algorithm) is a cryptographic hash algorithm created by the NSA and published in 1995. SHA-1 takes a message of any length and produces a 160-bit message digest. The message digest verifies the integrity of the message by comparing the hash that was calculated before and after message transmission. For example, the hash of a transmitted file is compared against the hash of the file before it was sent. If the hash values are the same, the file was not tampered with. If the hash values are different, the file was altered during transmission. In 2005, attacks have demonstrated the security in SHA-1 is weaker than intended, and a more secure SHA-2 standard was created. SHA-2 is actually a family of hash functions with hash values of 224, 256, 384, or 512 bits. Due to the stronger hash algorithms in SHA-2, Federal agencies have been directed to stop using SHA-1 and must use SHA-2. 2016 is the year software vendors are completing their migration to SHA-2. Google Chrome has begun displaying warning messages for SHA-1 certificates with expiration dates past January 1, 2016, and Microsoft instructed Certificate Authorities to stop issuing SHA-1 certificates earlier this year. Major organizations, like UPS, are requiring their AS2 trading partners to use SHA-2.

TLS

Transport Layer Security is a protocol that encrypts communications between client applications and servers. TLS is the successor to the Secure Sockets Layer (SSL) protocol version 3.0, and uses more advanced methods for message authentication, better alerting for problem certificates, and more robust cipher suites. After the POODLE vulnerability was discovered in late 2014, companies that are still using SSL instead of TLS are leaving themselves open to man-in-the-middle exploits. Google and Mozilla have already phased out the support of SSL 3.0 in Chrome and Firefox, and trading partners are demanding companies support TLS for AS2 transfers.

SHA-2 and TLS migration

GoAnywhere MFT fully supports SHA-2 and TLS for AS2 transfers. GoAnywhere is certified by the Drummond Group to validate our AS2 solution follows the RFC 4130 standard and is interoperable with other certified products. Using a Drummond Certified solution, and requiring your trading partners do as well, alleviates the challenges of AS2 and ensures your transfers fully meet the latest security standards. For more information on AS2 support in GoAnywhere MFT, visit the pages on our AS2 Client and AS2 Server.


Free FTP Server and Client Helps Businesses Improve Security and Audit File Transfers

GoAnywhere MFT's integrated FTP Server and Client for automating and auditing file transfers is now available as a Free Edition of the enterprise-class Managed File Transfer solution. 

GoAnywhere Managed File Transfer Free FTPThis free FTP software can be installed on a variety of platforms including Windows, Linux, Mac OS, UNIX and IBM i, providing flexibility to organizations of all sizes.  GoAnywhere MFT improves FTP security with features like AD authentication, granular folder permissions, password policies to comply with PCI DSS, brute force and DoS attack monitors, and IP blacklists/whitelists.

"Legacy FTP servers are lacking the security controls, user management and detailed audit logs needed to comply with regulations like PCI DSS and HIPAA" says Bob Luebbe, Chief Architect at Linoma Software.  "With the free edition, any organization can now take advantage of the comprehensive FTP features in GoAnywhere MFT."

Using the free FTP client from GoAnywhere, organizations can add automation to their file transfers.  The ability to schedule transfers and scan for new or modified files on local or remote systems reduces manual processes and the risk of human error.  This saves time and money while improving productivity through reliable data delivery.

The GoAnywhere FTP server makes it possible to set access controls and generate detailed audit logs on all file transfer activity.  This offers a layer of regulatory and policy compliance to organizations currently using FTP to exchange files with trading partners.

GoAnywhere MFT is an on-premises solution that provides centralized control over data access. There are no upfront costs or renewal fees for this fully scalable FTP solution. GoAnywhere MFT can be easily upgraded to meet the changing needs of any business through the purchase of secure file transfer protocols, integrated Open PGP encryption, advanced workflows and in-depth reporting.

This free software installs in minutes and is available for download from the GoAnywhere website at https://www.goanywhere.com/free-ftp.


5 Signs Your Organization is Ready for MFT

Managed File Transfer Levels the Playing Field for SMB

Low-cost file transfer tools allow mid-market businesses to make simple data exchanges both internally and externally.  As your company grows, however, trading partners demand enterprise-level systems to improve reliability and data security. 

cityscape - mft readyManaged File Transfer (MFT) emerged to reduce the cost and programming skills required for you to meet customer requirements and stay competitive in the marketplace. According to an Info-Tech Research Group report on selecting and implementing an MFT solution, there are five signs that indicate your organization could benefit from this technology.

  1. A need for transparency and traceability in file exchange activities
  2. New business relationships mandate adherence to compliance laws and privacy regulations
  3. Traditional methods of sending data, such as FTP, aren't secure
  4. Processes need to be more agile and adapt to changing network conditions
  5. The inability to comply with government reporting requirements

MFT provides comprehensive audit trails and monitoring to document all file transfer activity. Reports generated from this data show every interaction with the files on your server in great detail and allow you to better serve customers by responding quickly when problems do arise.

When security and reporting tools are needed to meet strict regulatory compliance standards of even highly-regulated industries, MFT delivers.  These include the data protection and integrity requirements found in PCI DSS, GLBA, SOX, Dodd-Frank and state privacy laws.

In light of recent high profile data breaches, many organizations have chosen to reduce their risk by seeking alternatives to unsecure FTP.  MFT gives you the flexibility to connect with trading partners using secure protocols and popular encryption methods like SFTP, FTPS, HTTPS, AS2, Open PGP and ZIP with AES.

In addition, automation and simplified workflows offered in many MFT solutions streamline the process of adding and onboarding trading partners. Companies can reduce or eliminate time spent on manual file exchanges and interrupted file transfers, thus reducing administrative costs and assuring the timely delivery of mission-critical data.

To explore MFT further, download this useful checklist to help in your evaluation of vendors and find the best solution for your organization.


Managed File Transfer 101: What's in it for Me?

managed file transfer 101 - fileTransferGroupThe term MFT (Managed File Transfer) is not new but you may be hearing it more frequently.  Changes in data security and transmission regulations have brought this established technology to the forefront, but what exactly does it entail? Linoma Software recently hosted "Managed File Transfer 101", a webinar to present the essentials of MFT and what you should look for when researching an MFT solution for your organization.

Current State of File Transfer

In the presentation, Bob Luebbe, chief architect of Linoma Software, talked about the existing challenges of file transfer:

  • Old technology - such as Standard FTP - is still in use despite limitations and risks posed by data "sent in the clear".
  • Time consuming manual processes that might include the use of PC tools.  Scripts are also a legacy of old processes that continue to saddle IT departments.  Programmers create and maintain these scripts - often hundreds or thousands - to automate transfers.
  • File access is often too decentralized, making it difficult to control and manage.  Compliance has become more stringent in data management.
  • Lack of notifications critical to insure successful data movement, rather than waiting for a partner to notice missing or incomplete transfers.  Traditional logs can be helpful but are also hard to find and filter for adequate audit trails.  The big issue is meeting data privacy regulations (e.g., PCI DSS, HIPAA, GLBA and SOX) without centralized logs.
  • Employees are still sending files unchecked.  Without a simple and secure alternative, employees find their own solutions for file portability to maintain productivity.

managed file transfer 101 - 58percent_send_to_wrong_personThis final point often involves employees storing sensitive files on their PCs and laptops, sending documents through email, and utilizing cloud storage providers - like Dropbox - without proper controls in place.  If a company doesn't have internal policies in place to address file sharing and transfers, the liability risk can be severe. In a 2013 study by Stroz Friedberg on Information Security in American Business, it was found that 3 out of 4 office workers upload work files to their personal email or cloud account.  Of this group, 37% said it was because they prefer using their personal computer while 14% said it's because taking their work laptop home was simply too much effort. The same survey highlighted the role of senior managers in an organization's data risk.  Often the worst offenders, 58% admitted to accidently sending sensitive information to the wrong person. Just over half also admitted to taking files with them after leaving a job. While MFT won't put a stop to this practice, a workflow built on the secure storage of sensitive business documents will add transparency to file access activity.

What is Managed File Transfer?

File Transfers, in their basic form, involve the sharing of files with others through FTP, email or a cloud solution.  In contrast, Managed File Transfer takes a centralized enterprise-level approach to automating and securing file transfers.  This produces a secured, scheduled and trackable file transfer. By creating transparency within your organization, files are tracked and logged as they enter and leave your network.  MFT is a smart solution for companies who understand the liability and risk involved in transmitting sensitive data.

  • Keep files safe and secure
  • Make sure files go where they are needed, when they are needed
  • Track files from start to finish for compliance purposes

To see what MFT looks like in a real world example, the team at Linoma would be happy to schedule a live demo of the GoAnywhere Suite.  You can also click here to view the entire webinar for free. Discover how simple and affordable it can be to utilize an MFT solution in your organization.