Managed File Transfer Vendor Earns “Excellent Supplier” Rating on ISO 9001 Supplier Evaluation for a Long-Time Customer
bTrade, the industry leading compression and managed file transfer (MFT) provider, announced today that it once again scored well in connection with an ISO 9001:2008 supplier evaluation, this time from its customer, Telered, S.A.
Telered is a Panamanian company that provides Panama’s electronic payments network. The shareholders of Telered are all the major Panamanian banks who demand infrastructure supported by state-of-the-art technology, including bTrade software solutions. Telered maintains connections with many entities, both private (local and international) and public, through a communications infrastructure that transmits the information between the entities and the affiliated financial institutions in a secure and reliable manner. Telered has been a bTrade customer for more than a decade.
Because the Panamanian payments network is certified under the ISO 9001:2008, Telered conducted a supplier audit of bTrade earlier this year. bTrade was rated on key metrics such as experience, performance against competition, product quality, price, and delivery and response to problems.
bTrade is pleased to report that it received from Telered a compliance rating of 98.2%. According to Maria Barrera, a Process Analyst at Telered, the 98.2% score puts bTrade in the category of “Excellent Supplier.”
“It is extremely gratifying to receive this recognition from our customer, Telered, S.A.,” said Steve Zapata, President and CEO of bTrade. “bTrade has always focused on continued quality, and this supplier rating reconfirms our mission to provide our customers with the highest quality products and services possible,” added Zapata.
For more information on bTrade’s solutions and services, please visit bTrade.com.
bTrade develops managed file transfer technology solutions for enterprises that share sensitive data across applications and organizations, and face complex security and compliance mandates. Thousands of customers depend on bTrade solutions to gain control and oversight of the movement of critical corporate data to facilitate data growth, reduce security risk, and improve IT and business efficiency. bTrade was founded in 1990 and is led by eBusiness visionaries who have delivered industry-leading business integration solutions to thousands of enterprise customers worldwide. bTrade is privately held and profitable with its global headquarters located in Glendale, California USA.
In an earlier post, MFT Nation critiqued the U.S. Federal Government’s (the “Feds”) recently revised data security policies entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). In that earlier post, we focused on the not-so-good aspects of the Circular. We also promised to discuss the positive aspects in the future, which is the purpose of this post.
The Feds claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” (This sentence is what an English teacher would call a “run on” sentence). To achieve such laudable goals, the Feds say they focused on the following three elements when drafting the Circular:
- Real Time Knowledge of the Environment. In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds. In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time. In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design. Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
- Proactive Risk Management. To keep pace with the needs of citizens, we must constantly innovate. As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security. Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions. This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
- Shared Responsibility. Citizens are connecting with each other in ways never before imagined. From social media to email, the connectivity we have with one another can lead to tremendous advances. The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.
This is all good stuff. Data security policies should focus on real-time knowledge of the environment, proactive risk management and shared responsibility. In fact, bTrade focused on these and other concepts when developing its TDXchange software solution. But again, it’s just amazing the Feds waited until 2016 to come to this realization and finally draft data security policies around these concepts. But I digress. Back to the topic—positive aspects of the Circular.
Appendix I establishes minimum requirements for information security programs and assigns responsibilities for the security of information and information systems. Appendix I requires agencies to do such things as:
- Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems;
- Continuously monitor, log, and audit user activity to protect against insider threats;
- Periodically test response procedures and document lessons learned to improve incident response;
- Encrypt moderate and high impact information at rest and in transit;
- Ensure terms in contracts are sufficient to protect Federal information;
- Implement measures to protect against supply chain threats;
- Provide identity assurance for secure government services; and,
- Ensure agency personnel are accountable for following security and privacy policies and procedures.
Again, this is all good stuff. For many years now, the Feds have required the private sector to incorporate such data security practices into their businesses.
Appendix II outlines some of general responsibilities for managing personally identifiable information (PII). Appendix II summarizes requirements in the following areas:
- Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
- Designating senior agency officials for privacy;
- Managing and training an effective privacy workforce;
- Conducting Privacy Impact Assessments (PIA);
- Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
- Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
- Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
- Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.
Such data security policies can already be found throughout the private sector. It is the type of ecosystem for data security and privacy which businesses have been recognizing and adopting for many years now. Governmental agencies are being told that they have to develop a culture of privacy and security protection within their organizations and are being given the framework to follow.
The Circular is definitely needed given recent cyberattacks affecting the Fed. In addition, it is hard for the U.S. government to expect businesses in the private sector to do something the government does not do itself.
Let’s hope the Feds don’t go another 16 years until the next update.
The year 2000 was also a memorable time for the IT world. We survived the feared Y2K problem, but the dot-com bubble was about to burst. Google was just a baby and desktop computers dominated the IT landscape.
But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies. We kid you not. Until recently, the Feds were relying on 16 year-old data security policies. As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”
The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.” If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did. The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”
Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation. For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.” And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.” Time will tell whether the Feds practice what they preach.
The release of the Circular generated a great deal of attention, but it is really nothing extraordinary. It’s the type of document the Feds have required of private sector organizations for quite some time. For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide. The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).
The Feds have consistently fined businesses for failing to “implement and maintain” data security policies. Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies. Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied. I guess it’s good to be the king, so to speak.
They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” Let’s just say that we are skeptical.
Why? To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing. The Circular is all of that. It’s an 85-page monstrosity with a host of problems.
To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text. To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics. The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM). If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).” Good luck with that one!
That said, the Circular has certain favorable aspects that are worth noting. We will discuss this in an upcoming post.
If you have questions about the above content, contact our data security experts at firstname.lastname@example.org.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.