When you send someone a file via FTP, how do you know — and later prove — that it was successfully sent?
It might be possible to save a screen shot as long as the process was simple and you can see all the commands on a single screen. But what if your commands start getting complex? And if you start sending quite a few files every day, how do you organize all these screen shots so that you can easily retrieve proof 2 1/2 weeks from now. What about 2 1/2 years from now? Believe me, I’ve been there and it’s no picnic.
Why should you care what files you sent two-and-a-half years ago anyway? To begin with, it’s the law… for most of us anyway. Most businesses are required by law to maintain an audit trail of any files that hold personally identifiable information in the data. Still, we shouldn’t do it just because it is the law, we should do it because it’s is a good business practice to protect and track the movement of all business information.
How to Audit
The screen capture option is probably the worst-case scenario in maintaining an audit trail of all your FTP transactions. It makes sense to look into better tools to manage your FTP processing that make it easier and safer to prove the files have been sent or received from the correct locations.
In most windows-based FTP tools, whether free or purchased, there are options to maintain a log of all your transactions. Here’s an example of GoAnywhere Director’s job log that shows the status of your file transfers, and allows you to drill down further into each job to find out even more.
Other FTP software solutions have similar settings. Logging your transactions provides the audit trail you need to prove that you have done your part in sending or retrieving the files. Managed file transfer solutions, in addition to providing necessary file transfer security, provide an even better audit trail by logging exactly who sent or received the files.
Bottom line: Your FTP audit logs should be easy to find and understand just in case you are audited 2 1/2 years from now.
Highly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.
Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.
Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data. For instance:
- PCI DSS requires that credit card numbers are encrypted while “at rest” and “in motion”. Failure to do so can result in severe fines and potential loss of your merchant account.
- HIPAA requires that healthcare records are secured to protect the privacy of patients.
- State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.
Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.
Related Blog: PCI DSS v2.0