Are Internal Controls and Auditing Needed for Managed File Transfer and Trading Community Management Solutions?…Yes!!!

Hanz Jorgensen

Transmitting files, both internally and externally, and from one computer platform to another, is a widely used procedure. The vast majority of organizations do so in multi-system environments, and this file transfer process is often considered to be part of an organization’s “business-critical” operations. Even though a managed file transfer solution could provide an organization with a secure process for transmitting data, many organizations have yet to implement such a process.  As the amount of FTP traffic continues to grow, auditing FTP use and enforcing internal controls and procedures becomes more important every day. To identify data security problems before they occur, an effective audit which incorporates best practice procedures must be performed.

Internal Controls and Auditing

FTP is an extremely convenient means of transmitting data from one system to another. Within many organizations, FTP is an integral aspect of business operations.  In some cases, it is not uncommon for large organizations to make thousands, or even millions of FTP transmissions daily. Furthermore, because virtually every operating system has a built-in FTP client, FTP eases the way data is sent and received,  and can be done so for a relatively low cost. For some time, even the most popular web browsers have been supporting FTP connections.

Despite the advantages of low cost and ease of use, the overwhelming majority of FTP transfers are unsecured. This can result in the exposure of login information, as well as unencrypted data traveling in plain text format. The unencrypted data can be captured a number of ways in relatively easy fashion. In addition, the problem may not necessarily be limited to inside an organization’s network because all one needs to send data to an FTP server anywhere in the world is an Internet connection.

New compliance rules have been established which direct internal auditors to address an organization’s use and management of FTP transmissions. These controls are used to protect individuals from disclosing information, unbeknownst to them, regardless of the sensitivity of the information. The compliance landscape is evolving due, in part, to the alarming number of recent data breaches. This increase has created a pressing need for companies, as well as internal auditors to look at data security procedures and address the exposure which is inherent in FTP.

Of course this can be a daunting task, and many organizations do not even realize the magnitude of the problem. It can literally take weeks for auditors working in conjunction with network administrators and other IT staff to identify and locate all FTP servers. Companies can have hundreds, if not thousands of rouge FTP servers in place which are unknown and unmanaged.

The Recommendation and Solution

The solution to this monumental problem is actually quite simple; a centralized solution which utilizes a Secure FTP solution (SFTP or FTPS), and has the capability of real-time monitoring, alerting, and automation. Merging all traffic to a central repository has many obvious benefits from an administrative standpoint, but it will also facilitate the end-to-end auditing. It will also provide a common time zone when comparing file transfer activity across an enterprise which may have servers operating in different time zones. Should the need for an audit arise, all activity can be logged and archived across the enterprise to make it simple.

The transmission of all data using a secure connection should be an organization’s primary goal. Network and packet sniffing tools will not be able to access data when a secure FTP connection is used. An FTP server (such as the one used within secureXchange which supports secure socket layer and/or transport layer security connections will ensure that login information as well as data are not accessible. Additionally, managed file transfer solutions support a wide variety of protocols for transmitting private documents via the Internet or for ensuring privacy between applications.

Monitoring all transmissions in real time enables an organization to generate alerts when suspicions activity occurs, and to control overall automation efforts. This can be extremely useful in identifying hacking attempts, unapproved or unsecured transmissions, and any failed transmissions which may affect business critical processing. Alerts can be used to escalate problems for human intervention or just notify the appropriate people/departments upon a successful or failed completion of a file transmission.

Managed file transfer solutions, such as secureXchange, can be a strategic solution for an organization to comply with new and ever-changing security standards, while also simplifying the administrative efforts for internal and external data exchange.  secureXchange can also provide real time monitoring and alerting functionality which benefit the organization on many levels, while doing so from a centralized location.

If you want to learn more about the managed file transfer process, or how you can better protect your data, please contact us at