Content Visibility and Its Role in Demonstrating Compliance
Is your organization’s data secure? If so, can you clearly demonstrate your security practices to auditors? Data privacy and data security is very important.
In our previous posts, we identified four feature sets or “pillars” required for an effective data governance framework. We discussed:
In this post, we’ll take a closer look at governance, especially as it pertains to compliance with the internal policies, industry standards, and rigorous government regulations that mandate data privacy and data security.
Governance and Regulatory Compliance
Over the past twenty years, industry organizations and governments have responded to security threats by mandating IT controls for protecting confidential data, especially data with Personally Identifiable Information (PII) about customers. In recent years, partly in response to high-profile data breaches, these regulations have become even stricter.
Here’s just a sample of the many laws and regulations in place to ensure data security:
- EU General Data Protection Regulation (GDPR)
The EU’s new, sweeping data privacy law requires organizations everywhere to acknowledge and respect data subject rights. This includes securing and closely managing any personally identifiable information in their control related to EU citizens and alerting the public to a data breach within 72 hours of discovery.
- The Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- Federal Information Processing Standards (FIPS)
FIPS are publicly announced standards developed by the Federal Government for use in computer systems by non-military government agencies and government contractors.
- Gramm-Leach-Bliley (GLB)
Also known as the Financial Services Modernization Act of 1999, this U.S. Federal law requires financial institutions to ensure the security of customer information.
- The Health Insurance Portability and Availability Act (HIPAA)
The most important privacy and security law for the U.S. healthcare industry, HIPAA mandates data privacy and data security for Patient Health Information (PHI) managed by healthcare organizations and their business partners.
- Payment Card Industry Data Security Standard (PCI DSS)
Recognizing the importance of protecting cardholder data, the payment card industry has created its own data security standard. All organizations storing, processing, or transmitting cardholder data are expected to comply with PCI DSS.
The list of laws and regulations goes on and on. Enterprises should expect data privacy and data security regulations to continue growing in number and scope. Legislatures and industry groups are responding to angry consumers who have seen their data leaked in breach after breach, sometimes as the result of careless errors. If private citizens entrust their data to an organization, it’s not unreasonable for them to expect that organization to protect their PII using state-of-the-art security technology and best practices.
Increased regulatory pressure is designed to ensure these practices are adopted, embraced and enforced. While often daunting to implement, these regulations create a number of challenges for enterprises. They must not only improve their data privacy and data security practices; they must also do so in a way that enables them to demonstrate compliance to auditors and sometimes to courts.
How an Integrated Governance Framework Can Help
At Accellion, we’ve developed an integrated governance framework that builds on the IT infrastructure enterprises already have—including resources on premises and in the cloud. This framework provides a new layer of security and control, while at the same time making it easier for authorized users to find, share, and manage the content they need.
We make this framework available through our secure private cloud file sharing platform. Accellion’s platform provides organizations with a number of security and governance capabilities that provide total control over sensitive information as it’s shared with trusted partners outside the firewall. This in turn enables organizations to demonstrate compliance with a broad range of industry regulations and laws, including: SOX, HIPAA (with signed BAA), ITAR, SOC2, GDPR, NIST 800-171 and CJIS. Accellion is also an Authorized FedRAMP cloud service provider.
Additional security and compliance capabilities include:
With out-of-box connectors and API integrations, Accellion provides organizations full visibility into where content sits on the network, who has access to it, and what they’re doing with it. You cannot prove to auditors and regulators you’re handling PII and other sensitive content in a compliant manner if you don’t know where the content resides in the network or who has access to it.
- Full Auditing and Reporting
Every file that moves across the Accellion platform – whether it’s a contract requested from outside legal counsel, a financial projection downloaded from SharePoint or Box or some other activity, all user activity is logged and reported on an interactive dashboard. Administrators and compliance teams can easily generate reports to provide full visibility and demonstration of compliance.
- Granular Policy Controls
Administrators can establish and manage access privileges to folders and their files, i.e. view only, download, invite other collaborators, etc. File and folder expiration dates ensure that access to sensitive information is allowed for only as long as it’s needed.
All files are encrypted at-rest and in-motion with the highest levels of encryption. In addition, organizations retain full ownership of the encryption keys. Encryption ensures no unauthorized parties have access to your organization’s data.
- FIPS 140-2 Validated
Accellion’s platform has received FIPS 140-2 Level 1 validation, enabling it to be used by many federal agencies.
Organizations can comply with legal requests to preserve and collect all relevant files and metadata, and set content retention policies to meet regulatory compliance requirements.
- Data Sovereignty
Geographic policies can be enforced to restrict user content to storage physically located in specific countries to meet data residency requirements.
Learn more about Accellion’s Governance and Compliance capabilities.