Managed File Transfer Vendor Earns “Excellent Supplier” Rating on ISO 9001 Supplier Evaluation for a Long-Time Customer
bTrade, the industry leading compression and managed file transfer (MFT) provider, announced today that it once again scored well in connection with an ISO 9001:2008 supplier evaluation, this time from its customer, Telered, S.A.
Telered is a Panamanian company that provides Panama’s electronic payments network. The shareholders of Telered are all the major Panamanian banks who demand infrastructure supported by state-of-the-art technology, including bTrade software solutions. Telered maintains connections with many entities, both private (local and international) and public, through a communications infrastructure that transmits the information between the entities and the affiliated financial institutions in a secure and reliable manner. Telered has been a bTrade customer for more than a decade.
Because the Panamanian payments network is certified under the ISO 9001:2008, Telered conducted a supplier audit of bTrade earlier this year. bTrade was rated on key metrics such as experience, performance against competition, product quality, price, and delivery and response to problems.
bTrade is pleased to report that it received from Telered a compliance rating of 98.2%. According to Maria Barrera, a Process Analyst at Telered, the 98.2% score puts bTrade in the category of “Excellent Supplier.”
“It is extremely gratifying to receive this recognition from our customer, Telered, S.A.,” said Steve Zapata, President and CEO of bTrade. “bTrade has always focused on continued quality, and this supplier rating reconfirms our mission to provide our customers with the highest quality products and services possible,” added Zapata.
For more information on bTrade’s solutions and services, please visit bTrade.com.
bTrade develops managed file transfer technology solutions for enterprises that share sensitive data across applications and organizations, and face complex security and compliance mandates. Thousands of customers depend on bTrade solutions to gain control and oversight of the movement of critical corporate data to facilitate data growth, reduce security risk, and improve IT and business efficiency. bTrade was founded in 1990 and is led by eBusiness visionaries who have delivered industry-leading business integration solutions to thousands of enterprise customers worldwide. bTrade is privately held and profitable with its global headquarters located in Glendale, California USA.
In an earlier post, MFT Nation critiqued the U.S. Federal Government’s (the “Feds”) recently revised data security policies entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). In that earlier post, we focused on the not-so-good aspects of the Circular. We also promised to discuss the positive aspects in the future, which is the purpose of this post.
The Feds claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” (This sentence is what an English teacher would call a “run on” sentence). To achieve such laudable goals, the Feds say they focused on the following three elements when drafting the Circular:
- Real Time Knowledge of the Environment. In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds. In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time. In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design. Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
- Proactive Risk Management. To keep pace with the needs of citizens, we must constantly innovate. As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security. Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions. This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
- Shared Responsibility. Citizens are connecting with each other in ways never before imagined. From social media to email, the connectivity we have with one another can lead to tremendous advances. The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.
This is all good stuff. Data security policies should focus on real-time knowledge of the environment, proactive risk management and shared responsibility. In fact, bTrade focused on these and other concepts when developing its TDXchange software solution. But again, it’s just amazing the Feds waited until 2016 to come to this realization and finally draft data security policies around these concepts. But I digress. Back to the topic—positive aspects of the Circular.
Appendix I establishes minimum requirements for information security programs and assigns responsibilities for the security of information and information systems. Appendix I requires agencies to do such things as:
- Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems;
- Continuously monitor, log, and audit user activity to protect against insider threats;
- Periodically test response procedures and document lessons learned to improve incident response;
- Encrypt moderate and high impact information at rest and in transit;
- Ensure terms in contracts are sufficient to protect Federal information;
- Implement measures to protect against supply chain threats;
- Provide identity assurance for secure government services; and,
- Ensure agency personnel are accountable for following security and privacy policies and procedures.
Again, this is all good stuff. For many years now, the Feds have required the private sector to incorporate such data security practices into their businesses.
Appendix II outlines some of general responsibilities for managing personally identifiable information (PII). Appendix II summarizes requirements in the following areas:
- Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
- Designating senior agency officials for privacy;
- Managing and training an effective privacy workforce;
- Conducting Privacy Impact Assessments (PIA);
- Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
- Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
- Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
- Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.
Such data security policies can already be found throughout the private sector. It is the type of ecosystem for data security and privacy which businesses have been recognizing and adopting for many years now. Governmental agencies are being told that they have to develop a culture of privacy and security protection within their organizations and are being given the framework to follow.
The Circular is definitely needed given recent cyberattacks affecting the Fed. In addition, it is hard for the U.S. government to expect businesses in the private sector to do something the government does not do itself.
Let’s hope the Feds don’t go another 16 years until the next update.
The year 2000 was also a memorable time for the IT world. We survived the feared Y2K problem, but the dot-com bubble was about to burst. Google was just a baby and desktop computers dominated the IT landscape.
But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies. We kid you not. Until recently, the Feds were relying on 16 year-old data security policies. As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”
The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.” If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did. The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”
Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation. For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.” And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.” Time will tell whether the Feds practice what they preach.
The release of the Circular generated a great deal of attention, but it is really nothing extraordinary. It’s the type of document the Feds have required of private sector organizations for quite some time. For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide. The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).
The Feds have consistently fined businesses for failing to “implement and maintain” data security policies. Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies. Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied. I guess it’s good to be the king, so to speak.
They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” Let’s just say that we are skeptical.
Why? To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing. The Circular is all of that. It’s an 85-page monstrosity with a host of problems.
To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text. To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics. The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM). If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).” Good luck with that one!
That said, the Circular has certain favorable aspects that are worth noting. We will discuss this in an upcoming post.
If you have questions about the above content, contact our data security experts at firstname.lastname@example.org.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.
The basic goals of any file transfer software is being able to transfer files securely and reliably. Getting the files from one place to another using standard file transfer protocols is something you would expect the solution to be able to do, and do well.
So what distinguishes one file transfer product from another? How should you decide that one solution is the best one to choose? That comes down to extra features and additions that allow you to use the solution to handle different scenarios or functions, some you may not have even thought you needed. This should be the major topic of conversation whenever you are considering a new file transfer solution.
bTrade’s TDXchange solution is one that has quite a few extra features that would allow you to better manage your day-to-day file transfer needs, if you decide to start using them. For example, we have:
- data transformations
- read and write transfers directly from a database
- secure ad hoc messaging
- Outlook plug-in
- cloud storage adapters
- SLA notifications
- encrypted data store
- and many more …
Now when added together, it makes TDXchange a very useful solution to handle not only the day-to-day situations, but also those file transfer scenarios that are not routine or automated. Let’s go through some of these extras and features I mentioned to give you an idea what they can do for you.
Data transformations are available to help you correct/modify your transactions when characters either need to be removed or added. For example, when you receive an occasional file that contains carriage returns and/or line feeds, but your backend system doesn’t like them. This situation is easily dealt with in TDXchange by setting up a data transformation in the adapter that will automatically remove them, or change them to some other character, string or null. Problem document no more! If you have a need to make a file a certain length, set up your TDXchange transformation tool to make an 80 character (or other size) record. It works on both inbound and outbound documents.
Want to write inbound data directly to a database record, or take a field from a database record and send it directly? Not a problem. With a few simple parameters, you can configure the adapter to read and write directly from your database. No intermediate file creation steps necessary.
If you have a one-time or occasional need to send a file containing sensitive information to someone, TDXchange provides a solution in the form of secure ad hoc messaging. Simply log into your mailbox, attach the file, add the recipients, and then send them a one-time password via SMS. The recipients will get a link and can then sign into your TDXchange system via the web to download the file directly from the secure storage area. No partner definitions needed. So whether it is one-time access or more frequent use is required, TDXchange’s ad hoc messaging it is available for you.
The secure ad hoc feature also comes with an Outlook plugin which integrates directly with your desktop. Configure it once and you can then use Outlook to send files securely, small or large, and avoid the file size limitations with email.
If you or your partners want to use cloud storage, like Drive, Dropbox, Box, etc., we have adapters that can send it to them. Plus the files can be encrypted, so even though the file is residing on the cloud, it is still securely encrypted until your partner retrieves it and decrypts it.
With the TDXchange dashboards, permitted users can to monitor/track activity in the file transfer system with both graphical and textual displays. The TDXchange dashboards give permitted users visibility into activity within the entire system, as well as more granular looks at the number of transfers to particular partners, broken down by transport types, etc. This functionality, combined with notifications system, ensures that administrators are up-to-date on system-wide activity at any time of the day.
To make sure that even data-at-rest is secure, TDXchange gives you the option to encrypt your data store, thereby keeping your data safe from view even for persons who have access to the file system. While the data resides there, it is completely private and TDXchange can even be configured to disallow administrators the ability to view the data.
We like to think of TDXchange as a fully featured MFT system, and are also proud of the extra pieces we have added to make the solution work for our customers. These additional features go beyond traditional MFT and provide some nice-to-have tools that can help you in your day-to-day activities.
Kilpatrick Townsend & Stockton and the Ponemon Institute jointly released a study this week pointing to the vulnerability of many companies’ knowledge assets.
The survey summary notes that research “was conducted to determine whether the publicity-accorded data breeches subject to notification laws and related regulatory requirements has skewed the focus of organizations away from the theft or loss of their most critical information, and to provide helpful practices to reduce the risk.”
U.S. data breach notification laws mandate that companies notify customers or related third parties if data that may cause injury can be compromised, typically customers’ financial and personal identifying information.
The regulatory focus on this information can leave many companies’ most important “knowledge assets,” things like trade secrets and corporate strategy, unprotected or undersecured.
Jon Neiditz, co-leader of Kilpatrick’s cybersecurity, privacy and data governance practice, said that data breach notification laws have really steered what company IT professionals recognize as at-risk data.
“What we see is that what we’ve gotten to know as data breaches really, really come to some extent from data breach notification laws,” Neiditz said.
Data breach laws demand that security professionals and IT specialists attend to the security of specific data, often to the detriment of stricter information governance systems. “The compliance requirements were forcing them towards focusing on the information they’re required to protect,” Neiditz said.
Neiditz noted this was a trend revealed in his work at Kilpatrick on company data breaches. While companies may know how to secure information subject to notification laws, other company knowledge assets often lacked appropriate security or oversight.
Larry Ponemon, chairman and founder of the Ponemon Institute, said that many companies fail to address data vulnerabilities to their most valuable information because a fix would require time and costs that they may not want to spend.
“They’re flying with their heads down because it takes real resources to fix the problems, but they’re real problems. The bad guys are becoming much more surgical in their attacks,” Ponemon noted.
While cyberattacks traditionally have worked to bypass company data security without a specific target data set in mind, Ponemon said that hackers are now more methodical in targeting vulnerable company data. Without appropriate information governance structures in place, companies risk their high value knowledge assets being targeted by these attacks, a cost perhaps far higher than that of protecting the data to begin with.
“A small amount of this high value information in the wrong hands could be maybe more costly,” Ponemon said.
Neiditz said that he hopes the release of this research will encourage IT professionals and company leadership to think more strategically and clearly about the kinds of data they need to focus their resources on, not just the data subject to data breach laws.
“The great opportunity for organizations is to recognize that the most critical data that [an] organization has is in dire need of protection, and that’s in part because the focus of information security programs has been kept away from a focus on the most critical information to organizations,” Neiditz noted.
The study identifies strong data governance, especially as aligned with a centralized control over knowledge assets and an IT security strategy, can help secure data better.
Although many may be tempted to run out and seek new data security software, the two authors say that comprehensive security changes require some strategic planning.
“There are no really quick and fast solutions. Technology is required to achieve a high level of information governance, but you need more than that, you need people who have the right skills, and you need an organizational culture that says, ‘We really do care about this,’” Ponemon noted.
That said, Ponemon noted that there are some basic things that companies can begin with to secure these knowledge assets, many of which they can do easily with tools they may already be using. Ponemon said that companies should consider things like “blocking and tackling tools, things you should have in place anyway.”
“It starts with information at high value should be encrypted or tokenized or redacted in ways that renders the information useless if someone sees the information even by accident,” he added.
Neiditz says that fixes like the ones Ponemon pointed to, and those highlighted in the report, may just require a rethinking of current data security tools and strategies.
Much has happened in the world of cybersecurity since last we posted. bTrade will be publishing upcoming posts that hopefully will have interest or provide help to our MFT Nation readers. In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.
For today, let’s touch on the 2016 LegalTech West Coast Conference, which we attended last month. The conference provides a good glimpse into how lawyers and their bright IT professionals are approaching cybersecurity. We’d like to share our thoughts about one particular comment made by an attendee, as it was echoed both during and after the conference.
Cybersecurity is Just Too Darn Difficult and Complex
Here’s the comment which was made in an article published after the conference: “But while law firms, like companies in the financial and healthcare industries, are implementing security practices, ‘when you look outside of those areas, there’s not a whole lot of standards,’ said David Pluchinsk, partner at Beirne Maynard & Parsons.” The article goes on to say: “This, of course, can make cybersecurity a difficult and complex issue for outside and private counsel.”
We understand the feeling. Data breaches have dominated headlines. Due to the prevalence of cyber threats, many organizations in the legal field are feeling a bit overwhelmed and suffering from what has been described as “breach fatigue.” For example, a Los Angeles-based boutique law firm specializing in divorce cases merged with a larger firm because one of the partners couldn’t sleep at night due to worries about cybersecurity.
But fear not, MFT Nation readers. We have some information that can hopefully ease your fears about cybersecurity.
Pursuing the “Holy Grail”
Contrary to popular sentiment, the financial and healthcare industries have not discovered the panacea of cybersecurity standards. The HIPAA standards do not amount to a cybersecurity “how-to” guide for the healthcare industry. For example, this article explains that HIPAA does not explicitly require encryption; in fact, HIPAA doesn’t explicitly require the implementation of any specific security technology. And as this article demonstrates, the apparent abundance of cybersecurity standards in the financial and healthcare industries does not necessarily translate into real “data security.”
Searching for Standards
We disagree with the statement that “there’s not a whole lot of standards” outside of the financial and healthcare industries. It’s simply not true, as evidenced by the following:
- In the FTC v. Wyndham case, a federal appellate court urged entities looking for cybersecurity standards to refer to the “expert views” provided by the FTC, the “agency responsible for administering the statute [which regulates cybersecurity practices].”
- The appellate court in FTC v. Wyndham pointed to one particular brochure prepared by the FTC called “Protecting Personal Information: A Guide for Business,” which the court said contains the “characteristics” of a “sound data security plan.” In it, the FTC provides a clear and well-written list of “5 key principles” to help businesses “regardless of the size—or nature” with data security. The FTC makes a bold statement in the brochure that “the principles in this brochure will go a long way toward helping you keep data secure.” We wholeheartedly agree.
- In this post, MFT Nation discussed some of the key FTC data security standards.
- On the Data Security page of its website, the FTC has a wealth of other helpful information relating to data security standards. Please take advantage of these resources if you are searching for available data security standards. The information is FREE, and as the first paragraph of the FTC’s Data Security page states, it “can help you meet your legal obligations to protect that sensitive data.”
- Another FREE resource is the “Framework”published by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department. NIST describes the Framework as a compilation of “standards, guidelines, and practices to promote the protection of critical infrastructure.” The Framework operates on the principle that one-size-fits-all checklists are inferior to “risk-based” cybersecurity practices. We here at the MFT Nation have written before about the Framework. Suffice it to say that we consider the Framework better suited for larger organizations and advanced cybersecurity practioners.
Knowing lawyers like I do, I’m sure the search for the “Holy Grail” of cybersecurity standards will continue. Hopefully, the above-mentioned resources will put the industry on the right path.
Contact bTrade for Help
People care about cybersecurity and the impact it has on their lives, both personally and professionally. However, it is one issue over which they feel they have limited control.
Cybersecurity is not an easy thing. But many aspects of running a business are complex and difficult. We don’t want to understate the complexity of cybersecurity. But deal with it like you would any other complex and difficult aspect of your business—get some advice from a subject matter expert/experts and devise a plan/solution that fits your company and budget.
If you need help, contact our data security experts at email@example.com.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.
MFT Nation has been following the long-running copyright court battle over Google’s use of Oracle’s Java APIs in the Android software that runs most of the world’s smartphones. Hopefully, the court battle has ended as a U.S. jury found unanimously that Google’s use of Oracle’s Java APIs was protected under the fair-use provision of copyright law.
Oracle said it has “many” grounds to appeal, so it may not view the jury’s decision as the final fight. “We strongly believe that Google developed Android by illegally copying core Java technology to rush into the mobile device market,” Oracle General Counsel Dorian Daley said in a statement.
The trial was closely watched by software developers, who feared an Oracle victory could spur more software copyright lawsuits. Google relied on high-profile witnesses like Alphabet Executive Chairman Eric Schmidt to convince jurors it used Java to create its own innovative product, rather than steal another company’s intellectual property, as Oracle claimed.
Annual “Cybersecurity Assessment” Scores Show that Agencies are Less Secure
The U.S. federal government is the largest single employer in the U.S., with nearly 500 different non-defense/military agencies employing almost 3 million people. The IT infrastructure required for such a monstrous bureaucracy is so incredibly complex that it requires a separate group of IT and cybersecurity professionals, a large portion of which come from the private sector, to oversee and maintain such a web of people and agencies.
The task of auditing the cybersecurity efforts of this sprawling mass of government agencies falls to one agency. Each year, the Office of Management and Budget (OMB), which is itself a large bureaucratic organization, has the task of submitting a report containing a “cybersecurity assessment” score which rates the “effectiveness of information security policies and practices during the preceding year.” This year’s report is a 91-page whopper filled with cybersecurity facts that will make your head swim.
We want to spare MFT Nation readers from having to read the 91-page whopper, so your convenience, we offer the following highlights:
- The auditors rated each agency’s information security continuous monitoring (ISCM) at one of five levels–ad hoc, defined, consistently implemented, managed and measurable, or optimized–before considering another nine cybersecurity areas such as configuration management, risk management, and security training.
- Last year, eight agencies received cybersecurity assessment scores above 90%.
- This year, only one agency received a score above 90%, and the General Services Administration barely made it above that mark with a score of 91%.
- The Department of Justice (89%), Department of Homeland Security (DHS) (86%), Nuclear Regulatory Commission (86%), and the National Aeronautics and Space Administration (85%) rounded out the five highest scores.
- 13 agencies received cybersecurity assessment scores between 65 and 90; nine scored lower than 65%; four finished below 50%.
- The State Department has the ignominious distinction of finishing dead last with a paltry cybersecurity assessment score of 34%.
- Overall, the average score for reporting agencies was 68% for the fiscal year, down 8% from the previous year.
- Federal agencies reported 77,183 cybersecurity incidents, a 10% increase over the 69,851 incidents reported in the previous year.
- The FY 2017 budget includes $19 billion for cybersecurity resources, a big chunk of which is slated for “retiring” the government’s “antiquated” IT systems and “transitioning” to “secure and efficient modern IT systems.”
- The government auditors urged government agencies to “streamline governance.” Is that possible?
The bottom line is that many U.S. federal government agencies are not prepared to deal with cybersecurity threats. It’s encouraging to see that $19 billion is budgeted for cybersecurity in FY 2017. But with government, the concern is usually the amount of money budgeted, but rather how wisely government spends the budgeted funds.
The OMB report contains the following two findings which suggest the U.S federal government will be unable to meet its cybersecurity goals, notwithstanding the billions of dollars that have been budgeted for the effort:
- “The vast majority of federal agencies cite a lack of cyber and IT talent as a major resource constraint that impacts their ability to protect information and assets.”
- “There are a number of existing Federal initiatives to address this challenge, but implementation and awareness of these programs is inconsistent.”
Without quality cybersecurity professionals, the federal government will never meet its stated goal of strengthening its cybersecurity efforts.