For those who read this blog, the managed file transfer process is no doubt very important. Equally important to the managed file transfer community is how the Executive Order on Improving Critical Infrastructure Cyber Security will affect the landscape of the managed file transfer process.
Last week, the National Institute of Standards and Technology (NIST) held the first in a series of workshops as part of efforts by the Commerce Department to implement the Executive Order. The workshops are open to all interested individuals from both the public and private sectors, and are intended to drive discussion toward the development of a voluntary framework for reducing the nation’s vulnerability to cyber risks.
Some in the managed file transfer community were expecting that the workshops would lead to a new, comprehensive framework pertaining to information security. But based on comments made during the workshop, it appears that the eventual framework will consist of already existing managed file transfer standards. Why do I say this? Because of the following statement made by Patrick Gallagher, Director of NIST and Under Secretary of Commerce for Standards and Technology, during the workshop: “The framework will probably be a set of references to existing standards.”
So what “existing standards” pertaining to managed file transfer might eventually be used in the framework? Certain publications were suggested at the workshop, including the Payment Card Industry Data Security Standard (PCI-DSS); NIST Special Publication 800-30, 800-39 or 800-53M; SANS’ 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines; ISACA’s COBIT 5 IT governance framework; and the ISO 27000 series. If you take the time to review these publications, you will see that each contains a host of potential standards suitable for the cyber security framework. But I suspect many of you don’t have the time, so allow me to provide a summary of concepts that likely will and will not be included in the eventual framework.
IT professionals, including those in the managed file transfer community, want to develop information security standards covering such things as secure firewalls, authentication of data using secure passwords and PINs, protection of data wherever it is stored, effective encryption to secure data transmitted through public networks, implementing strong access control measures, and having visibility into the information security system.
What that means is that managed file transfer solutions will need at least the following features/functionality:
· Dashboards and Reports (real-time monitoring)
· Auditing and tracking of messages
· Alerts and notifications
· Authorization (system access based on identity)
· Archiving and purging (active logging)
· Support for multi-tiered networks; DMZ and internal network components
· Compliance with secure protocol standards
· Cross-platform compression, encryption and authentication
Business professionals are urging that IT security must be balanced against business concerns (i.e., a company’s bottom line). There seems to be agreement among all involved that a “checklist” approach, like that in PCI-DSS, is not the best alternative. Business professionals want a risk-based system that is flexible, scalable, and not complex. Also, several business leaders who spoke at the workshop felt that the development of a meaningful set of metrics could provide the needed value proposition to encourage businesses to adopt a framework.
We will continue monitoring the situation with the Executive Order and keeping you updated on developments. In the meantime, feel free to contact us at firstname.lastname@example.org if you have any questions, or if want our data security experts to analyze your infrastructure to determine how best to protect your valuable and confidential data. bTrade is a pioneer in the data security and managed file transfer fields, and our managed file transfer software solutions address the needs mentioned above by both the IT and business professionals.