Archive for the ‘data governance’ Category

Data Governance is for Everyone!

What does “Data Governance” even mean?

In a vacuum, data governance is simple. It’s the process of managing data to accomplish certain objectives. Often these objectives are related to security, privacy, or compliance with external regulations. The term is also associated with responsible management or stewardship of data.

The concept becomes more complex when it is applied across industries or use cases. The scope and impact of data governance is wide-ranging and far-reaching, which can make applying data governance strategies more complicated.

This is especially true for enterprises that already handle huge amounts of data and are examining data governance options to address compliance needs. Increasing regulations worldwide make it so that few businesses can escape the web of compliance requirements.

Data Governance is so much more than complying with regulations though. Read on to find out if you could benefit from a data governance strategy. (hint: you probably can!)

Do I need Data Governance?

  • Do you handle data that could be used to identify clients or customers?
    • Anything from full names, ages, family members, credit card numbers, social security numbers, license plates or VIN, transaction records, prescriptions, doctor-patient information, policy and account numbers, and so much more!
  • Do you work in a highly regulated industry like Defense, Healthcare, or Finance?
  • Do you store proprietary or business-critical information, plans, schematics, technology, or logistics details?
  • Are you subject to large-scale/international regulations like GDPR?
  • If your data was compromised because of a virus, breach, ransomware, or leak, could you face fines, legal penalties, or significant loss of profit?
  • Are you subject to internal or external audits of your data or processes?
  • Are you trying to leverage data insights to grow your business or build market resilience?

If you answered yes to any of these questions, good news! A data governance strategy can be of help.

Learn more about data governance models, how to build one for your business, and how FileCloud can help with our whitepaper

build data governance strategy FileCloud

Turn Your Data Governance Nays into Yays!

You’re on board with building up your data governance: improving security, addressing compliance needs, and future-proofing your business. Sounds optimal, right? But now you have to convince everyone else.

This could be the most difficult part of implementing a data governance strategy. We’ve assembled a few of the most common barriers to data governance and shown how you can knock those barriers down.

Implement Data Governance

Data Governance/Compliance is too hard!
Recognize that Data Governance is about proactively creating business value and future-proofing data security, rather than reactively complying with external controls. It’s an investment that pays off.

I don’t know where to start.

Identify meaningful tools that will integrate with existing IT or find a new system that can simplify your data governance tasks. Investing now will improve efficiency of business operations and protect future data assets.

Shouldn’t IT handle this?

Take ownership of the Data Governance model. For data governance to succeed, everyone must be involved from the ground up in the data lifecycle (not just the IT department).

I’ve already tried, and it didn’t work.

Don’t try to take on all of your data at once. Start with your most important data and empower your teams with training and communication. Remember that implementing a new system will take time. Once everyone is comfortable with the governance strategy, you can always scale up.

Take Control of Data Governance with FileCloud

FileCloud is a Content Collaboration Platform (CCP) that specializes in hyper-security and data governance. With standard and enterprise options for on-premises or cloud systems, you can rest assured knowing you have the tools to safeguard and govern your data to comply with regulatory requirements and build business value.

Check out our whitepaper for an in-depth review of data governance models and strategies. Read on to discover different tools in FileCloud that can help support your data governance objectives.

Hyper-Security

FileCloud supports a multi-tiered approach to security, including automatic antivirus scanning upon upload, ransomware and malware prevention, integrations with security event and incident management (SIEM) software, and implementation of REST APIs for precise data management functionality.

Admins can set additional login requirements through Single Sign-on (SSO) and two-factor authentication (2FA) or integrate with Active Directories. File locking and unlimited file versioning ensure that data is preserved internally, so that collaboration never leads to data loss or overwrite.

FileCloud also uses advanced encryption modules, including AES 256-bit encryption for data at rest, SSL/TLS secure tunnels for data in transit, and FIPS 140-2 encryption certification. Bring Your Own Key policies mean clients can leverage site-specific, managed encryption keys in a multi-tenant setup.

Granular Sharing and User Policies

Admins and users can utilize granular sharing options to ensure only specified information is distributed, whether that information resides in a folder, sub-folder, or a specific file. Share links can be sent as public or private (password protected) with varying degrees of permission (read, write, download, share).

Shares can also be set to expire after a certain time. Furthermore, access permissions within the system can be set according to user, group, and global policies. Admin access can also be fine-tuned through role-based access controls (RBAC).

Retention Policies

Retention policies are a critical element of data governance. With an enterprise FileCloud license, you can leverage a hierarchical list of retention policies to meet the distinct needs of your organization.

Admins can automate retention processes to secure and manage digital content more consistently and to meet industry or regulatory standards. Available policies include:

  • Admin Hold: Outranks all other policies and prevents any update or delete of digital content for an indefinite period of time.
  • Legal Hold: Freezes digital content to aid discovery or legal challenges. During a legal hold, file modifications are not allowed.
  • Retention: Identifies digital content to be kept around for an unlimited amount of time before being deleted or released.
  • Archival: Moves and stores old organizational content for long term. No Deletion is allowed until a specified time period is reached. After this time, content gets moved to a specific folder.
  • Trash Retention: Can be configured for automatic and permanent deletion of all files in the Trash bins or to expire with no actions.

Content Classification & DLP

Classification is a major component of data governance. With FileCloud, admins and users can leverage either default or custom metadata tags to support the content classification engine (CCE).

FileCloud’s smart CCE automatically sorts uploaded content, enabling improved search optimization (including e-discovery and pattern search for GDPR compliance).

With a classification system in place, admins can also leverage FileCloud’s Data Leak Prevention (DLP), which uses a system of rules and metadata to guard against unauthorized sharing or access. The DLP expression builder ensures even team leaders and managers without an IT background can set up the rules they need to secure their data.

Comprehensive Reports & Audit Logs

FileCloud offers various administrative features to maintain user control over data such as file analytics and reports, as well as detailed, unchangeable audit trail logs.

These logs capture who (username) did what (access, modify and delete) to what data (files/folders), when (timestamp), where (IP address), and how (web, mobile, sync client and drive). Admins can search transactions and export audit logs as CSV files for detailed analysis.

 

Endpoint/Remote Device Management

Endpoint device management provides an inventory of all the devices connected to the FileCloud system such as computers, laptops, and smartphones. Administrators can remotely block users or even wipe data on any connected device. The Access Map in the Admin dashboard provides a unique view of connected IP addresses (Geo-IP) to support identification of suspicious activity.FileCloud Admin Dashboard

Compliance Center

FileCloud’s Compliance Center organizes security and sharing features listed above into one streamlined interface to support your compliance needs. System administrators can follow FileCloud’s specialized configurations for ITAR, GDPR, and HIPAA to apply the necessary security and sharing settings.

Individual rules can be enabled or disabled to reflect the existing governance and compliance protections in place, and linked documentation provides more information on what the requirement is and how FileCloud supports compliance.

Digital Rights Management (DRM)

DRM prevents unauthorized sharing, screenshot capturing, copying, or printing of intellectual property including contracts, sales/marketing reports, eBooks, training materials, and other sensitive documents.

For even greater control, files can be shared through a secure viewer, where only specific elements will be visible. Password requirements ensure only authorized users access shared information, and download limits curtail the distribution of materials. Share links and permissions can also be updated and access revoked at any time.

FileCloud DRM

Conclusion

In reality, data governance can be tricky, intimidating, and even expensive. But it doesn’t have to be. FileCloud can help set your worries and woes aside, thanks to its intuitive user and admin interface, automated tools like metadata, Smart Classification, DLP, and retention policies, compliance support through the Compliance Center, and a hyper-secure platform.

Find out today if FileCloud is right for you by taking the tour or signing up for a free trial!

 

~By Katie Gerhardt, Digital Content Specialist

 

Data Residency – Laws and Requirements

Data Residency

Data residency defines in which country the organization’s data is stored (physically or geographically).

Most often businesses have to operate under local regulations, which require that data about nations’ citizens or residents must be collected, processed, and/or stored inside the country. It mainly happens due to regulatory, tax, or policy reasons.
Data can still be transferred – after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and obtaining their consent.

Data sovereignty, data residency, and data localization could be mixed up and could cost your business when it comes to regulation breaches. You need to differentiate these three terms. It’s also important to understand how they affect your data.

Data residency refers to where the data is stored by a business, industry body. The government enforces regulations that they are to be stored in a geographical location of their choice, usually for regulatory or policy reasons.

Data sovereignty is not just about the data stored in a specific location but is also about the laws of the country in which it is physically stored. Data subjects will have different privacy and security rules enforced according to where the data centers housing their data are located.

Data localization states that data created within certain borders stay within them. In contrast to Residency and Sovereignty, it is always applied to the creation and storage of personal data, with exceptions including some countries’ regulations over tax, accounting, etc.

Where are each category of data (personal data, financial records, etc) created or processed and what obligations might this bring? Where is it stored, and who owns the data center?
What are your procedures for backup? Where is your data backed up to?
How have they documented and provided proof that their data centers meet all your local and global privacy needs?

 

Data Residency Laws around the World

Data localization can be exclusively required by law or other restrictive policies that make it difficult to transfer data. It requires companies to store a copy of the data locally, process data locally and mandate individual or government consent for data transfers.

Let’s have a closer look at some data residency requirements examples by country.

 

https://cdn.incountry.com/wp-content/uploads/2020/09/Learn-more-about-countries-with-data-regulations.png

 

Australia

On 1 July 2020, the consumer data right went live for limited data sharing in relation to the four major banks. The remaining banking data subject to CDR must be available for sharing by those big four banks from 1 November 2020. By the regulations of the Personally Controlled Health Records Act, all personal medical information in Australia has to be stored in local servers.

Canada

Canada requires public bodies like schools, public agencies, hospitals, etc to store their personal data within the nation’s borders where the data can only be accessed from within the country.

China

China has one of the strict data residency and localization laws. In addition to restricting access to certain websites (the Great Firewall of China), organizations also have to comply with a wide range of data residency practices. For instance, banking services in China have to place their data servers in the Asian nation. Also, Chinese personal financial information can only be analyzed, stored, and processed locally. The data of internet-based mapping services, medical and health records, have to be kept in China. Companies must also comply with a cybersecurity law that prohibits personal information and important business data from leaving the country.

France

Data produced by local and national public administrations have to be stored within the country’s borders. It is also illegal to move information that is connected to legal proceedings outside of the nation.

Germany

Germany has similar views on data residency as France, acting on the idea of personal information stored locally within its borders. While data residency laws can vary by state, all organizations within Germany have to store accounting data in the EU. Organizations and individuals liable for taxes have to keep their accounting records within the country’s borders

Russia
Russia has enforced strict data residency and localization laws. As per the 2015 Personal Data Law, personal information collected from Russian citizens is required to do all their data-related operations using databases that are physically located in Russia. It requires Telecom companies to store all data in the country for six months.  The Russian government could impose a fine or shut down the services that fail to comply with data residency laws.

India

The government first enforced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of debate on the bill. According to the new Indian bill, to collect personal data, establishments classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data collectors are also subject to many new reporting requirements. The bill imposes additional requirements, obtaining parent or guardian consent for the collection of data belonging to children. The biggest concern about the bill among activists is the exemptions granted to the government for data collection. Data protection bill states that exceptions can be made to data collection whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.”

 

Data Residency with FileCloud

FileCloud offers data residency options, giving options to customers to select the region of their choice for storing and processing data. FileCloud offers 100% flexibility on where to store and process data. It can be deployed as a private hosting setup or hybrid cloud on an infrastructure that customers control. You can pick the infrastructure and location where FileCloud runs, which helps to comply with many growing strict regional privacy requirements like the European Union.

FileCloud will help you comply with the regulations required in your specific industry or vertical. The growing requirements for securing corporate privacy and keeping multi-level threats at bay require a strongly compliant File Sharing and Sync solution.

FileCloud has On-Prem, self-hosted solution, so you pick the infrastructure and location where FileCloud runs, which helps to comply with many growing strict regional privacy requirements like the European Union. FileCloud Online allows customers to choose the region of their choice for file storage.

FileCloud comes equipped with state of the art infrastructure and features :

  • Secure servers: The data is stored in remote secure servers which are maintained by dedicated teams for the security of data.
  • Automatic Backups: The data is regularly backed up automatically at regular intervals thereby ensuring the latest data files are available to the users.
  • Recover Deleted files: The deleted files and folder can be easily recovered by the user thus ensuring no data gets lost.
  • Secure File sharing: Files can be easily shared with FileCloud’s cloud storage services. The user can share files publicly or privately depending on the requirement.
  • Affordable: FileCloud provides its user with the best online cloud storage services which are secure as well as affordable for businesses.

Record Retention for FINRA with FileCloud

According to FINRA Rule 4511(b), all firms are required to retain FINRA records and books, for at least six years provided they do not have a specified retention period under FINRA rules or applicable Exchange Act rules.

Firms are encouraged to divulge in a retention platform that will help them to meet five fundamental ask of FINRA practice:

  • Immutability – The final version of the e-records should be written to unchangeable storage such as a WORM (write once, read many).
  • Discoverability – The documents/records must be indexed in a way that makes it easy and fully searchable by the metadata and key attributes so that any information can be easily retrieved and reviewed.
  • Auditability – Every event that occurs in the document/record starting with the first writing of data to the time it is destroyed, should be logged and recorded.
  • Retainability – The platform should be able to save different versions of the records.
  • Destructibility – The record-retention policies should entail the details of the method of deletion and how many times the platform would be overwritten to delete any trace of data.

Features offered by FileCloud for FINRA

The five core essentials needs of the FINRA  follow the NIST Cybersecurity Framework of Identify, Protect, Detect, Respond, and Recover the data.

  1. Identify –Where do you store or use PII like social security numbers, date of birth, etc for your business? FileCloud will assist you to easily access and identify these risk inventories with the metadata tags and federated search. So you can control and restrict the use of data with unauthorized entities.
  2. Protect – Protect your data with end-to-end encryption, antivirus, and ransomware protection. You can also monitor and control the access to sensitive data for authorized personnel only with the help of FileCloud
  3. Detect – FileCloud keeps track of complete audit logs like what is it, who accessed it, where was it accessed from, and when. Receive detailed analytics and logs of file uploads, downloads, deletions, and previews using FileCloud.
  4. Respond –  FileCloud can enable you to protect file records from unintentional deletion and corruption. If a user deletes any sensitive files accidentally, FileCloud can be configured to send email alerts to administrators and supervisors who can then retrieve the said data.
  5. Recover – FileCloud features the most nimble data storing, archiving, and retrieving settings in the industry, helping customers and solution providers in creating a compliant-ready content management platform.

FileCloud helps you with addressing these rules with the following features

 

Private Shares

File sharing in FileCloud allows users to provide public or private access to files stored in the Server with various levels of access privileges.

Private Share FINRA

Back-Up

Create a copy/back-up of your entire server installation with FileCloud

Backup FINRA

 

Federated Search

FileCloud includes searching the whole FileCloud ecosystem for files and folders with the Federated Search feature.

Federated Search

Recycle

Recover the deleted files using FileCloud,if you have accidentally deleted the file. You can retrieve it from the Deleted files section provided the administrator has enabled this feature for you.

Deleted Files - FINRA

 

Secure Your Files

Uploaded files are checked for malicious content in the form of viruses, trojans, malware, etc. as FileCloud readily integrates with a variety of non-commercial and commercially licensed antivirus solutions available in the market.

Antivirus FINRA

Retention Policies

Retention policies can be created and attached to files and folders using FIleCloud. These policies will allow you to define the conditions that enforce a set of rules on how each file or folder can be manipulated.

Retention Policies

 

Audit Logs

You can use FileCloud audit logs to quickly see what has changed on your FileCloud Server site.

Audit Logs- FINRA

GDPR Compliance with FileCloud

Quick Refresher on GDPR

The General Data Protection Regulation or commonly known as GDPR is a broad set of rules ensuring data protection of all individuals within the EU. GDPR rules apply not only to companies located in the EU but all companies dealing with data of EU residents. Violation of GDPR may cost companies penalties of 4% of their revenue. The regulations were enforced on May 25th, 2018.

The GDPR is derived from a number of data protection principles. These principles outline the rules that organizations must follow when they collect, process, and store an individual’s personal data.

  • Consent and Transparency – When data is collected, organizations must be clear about why it’s being collected and how it’s going to be used. If the user requests information regarding the processing of data, then organizations should provide this in a timely manner.

  • Purpose limitation – Organizations must have plausible reasons for collecting and processing personal data. The data can be used only for the said purpose and should not be processed for any other use unless the user has provided their explicit consent.

  • Data minimization – According to GDPR, data must be relevant and limited to what is necessary for which they are processed. This means that organizations should only store the minimum data required for their purpose.

  • Accuracy – Personal data must be accurate, fit for purpose, and up to date. The organizations should regularly review information held about individuals and delete or amend inaccurate information accordingly. Users have the right to rectify or erase inaccurate and unnecessary data within 30 days.

  • Storage limitation – Once the data serves its purpose for which it was collected, it should be deleted or destroyed unless there are other grounds for retaining it. The GDPR does not specify how long you should store the data.

  • Integrity and Confidentiality – Your organization must ensure that all the security measures are in place to secure the personal data you store. This could be from internal threats such as unauthorized use, accidental loss, or damage, and external threats such as phishing, malware, or theft.

  • Accountability – This principle states that organizations must take responsibility for the data they hold and demonstrate compliance with the other principles. This means that organizations must be able to provide evidence of the steps they have taken to demonstrate compliance.

Key Updates on GDPR

GDPR hasn’t been the same since it’s enforced in 2018. Here’s a quick update of what has happened since it came into effect.

1. A broader definition of Joint Controller – A joint controller is a group of controllers that jointly determine the purposes and means of processing. According to CJEU, when you process customer data, you along with your fellow joint controller(s) will decide and manage each step so you’re compliant with the GDPR. You both are equally responsible to ensure the entire process is  GDPR compliant. Both of you are accountable to the data protection authority.

2. Privacy Shield is Invalid – the EU-US Privacy Shield lets companies sign up to higher privacy standards, before transferring data to the US. The agreement governing the transfer of EU citizens’ data to the United States has been struck down by the European Court of Justice.

3. Cookie Consent –  In May 2020, the EU updated its GDPR rules which also included these cookie consent points

  • Cookie walls should not be used
  • Consent must be explicit, scrolling or swiping a website does not imply consent.

4. The Big Fines –  The French data Regulator has fined google 50 Million euros for lack of transparency and valid consent. The UK ICO fined Marriott International Inc. £18.4m for not ensuring 339 million guest records security. They have also fined British Airways £20m for a data breach of 400,000 customers’ personal data.

Implementing GDPR with FileCloud

User Consent

Reconsider how you are collecting personal data. Are you buying mailing lists? Then it is time to start fresh with a new mailing list that you have procured from informed customers and have consent for collecting their e-mail addresses. You can still acquire users or convert visitors from your website. It can be done by allowing visitors of your website to add themselves to your mailing list using a signup form. While getting consent, make sure you provide a link to your privacy policy which informs people exactly what you will do with the collected data.

In FileCloud, an administrator can enforce privacy settings, so that a user sees an I agree to Terms of Use.

To view the actual terms of service, users should click I agree to Terms of Use.

User Consent
User Consent

Right to Access

This is one of the important rights that the GDPR has set for the users. This basically means data subjects at any point, can ask you about the data that has been collected. Moreover, they need to be responded to within a month by the data controller.

FileCloud allows data protection officers to search for user data across all file content and activity logs.

 

Right to Be Forgotten

Under GDPR, users can request the deletion or anonymization of any data that the companies possess on them. FileCloud offers features to delete files. FileCloud also provides a tool for anonymization of any data that companies possess relating to a user, including activities log.

Anonymize User Data
Anonymize User Data

Data Portability

Exporting data from your system should be possible. Commonly accepted formats include  .csv, .pdf or .txt files. This will allow you to manage the portability.

FileCloud allows the export of files in all these standard formats and activity logs in easily readable files. Users can move their files easily from FileCloud.

 

DPOs

The DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR). Companies having more than 250 employees should assign a data protection officer (DPO) to ensure compliance.

FileCloud has special user types with a subset of admin tools. Organizations can create special user accounts for their DPOs to monitor compliance. You can assign a subset of admin features that you want to for your DPOs.

Data Mapping

The data that is collected, stored, and being processed needs to be categorized. GDPR requires you to ensure that files with personal information have not been shared inappropriately by searching for sensitive information and reviewing who has accessed it. To assess the data path and who has access to data, you need to create a mind map to help guide your processes of GDPR compliance.

With FileCloud, IT and system administrators can now search for common data types. You can easily search using built-in pattern identifiers like e-mail addresses, phone numbers, and credit cards. FileCloud also has templates you can use to search for complex patterns such as license plate numbers, driver’s licenses, and national identification numbers.

Pattern Search Advanced
Pattern Search Advanced

References 

https://www.smashingmagazine.com/2021/02/state-gdpr-2021-key-updates/

https://www.filecloud.com/supportdocs/display/cloud/GDPR+Compliance+in+FileCloud

Choose the Right File Sharing Solution for ITAR Compliance

ITAR (International Traffic in Arms Regulations) is promulgated pursuant to the Arms Export Control Act (22 USC sec. 2751). The regulations are programmed to restrict and control the import and export of defense and military-related items, technologies, and services. Any item or service subject to the regulations must be included on the United States Munitions List (USML), compiled, and maintained by the State Department which is responsible for the administration of ITAR.

ITAR is implemented by the State Department’s Directorate of Defense Trade Controls (DDTC). Items listed on the USML may be shared only with a US person. Any deal involving a non-US person requires either authorization or an exemption from the DDTC.

FileCloud for ITAR is a secure file management solution that offers file storage,  access, and data governance. Custom-tailored specifically for organizations who deal with ITAR
and EAR-regulated data, it offers multi-layer data security, governance, and advanced recordkeeping capabilities. FileCloud is cloud-agnostic, which means you can self-host it on your own IT infrastructure, or choose to utilize our software services.

Basic Principles to Secure your ITAR Data

  • Search and Secure Sensitive Data – FileCloud’s Smart Classification Engine automatically sorts your content into logical categories within minutes. Automate sensitive data discovery with simple rules that make sense to you. Our cloud services are hosted in AWS GovCloud. FileCloud service is managed and supported from Austin, Texas by U.S.-based personnel. FileCloud can also be self-hosted by end-users if they prefer that option over our cloud service.
  • Granular Permissions for Users – In addition to powerful auditing features, FileCloud for ITAR also offers detailed information about downloaded files, user shares, user logins, active users, DLP violations, and statistics for file movement.
  • User Data Access Control – FileCloud offers private-only, time-limited, and view-only access for sensitive documents. You can prevent downloads, and configure custom sharing options with FileCloud’s Smart DLP capabilities and document tags.
  • Audit Reports – FileCloud aims to give you the best possible audit data to satisfy ITAR compliance. With our admin portal, administrators can easily filter and select levels of granularity, as well as use the “Audit” options on our admin dashboards to view the following granular data.

Features of FileCloud for ITAR Compliance

 Own Your Data

Self-host FileCloud on AWS GovCloud or Azure. Control and manage inbound and outbound network traffic, check detailed audit logs to see who accessed the files, and more. Build a robust ITAR compliant file sharing and access control solution with FileCloud.Our cloud services are hosted in AWS GovCloud. FileCloudservice is managed and supported from Austin, Texas by U.S.-based personnel. FileCloud can also be self-hosted by end-users if they prefer that option over our cloud service.

360° Data Security

FileCloud provides multi-level, 360° data protection by bringing revolutionary Data Leak Prevention capabilities to the market. Our simple, flexible, and rule-driven system prevents accidental data leaks from end-users and protects all sensitive data. Unintentional data leaks can happen because of user errors and oversights. Establishing a set of strict policies to prevent data leaks is crucial for ITAR compliance. FileCloud’s Smart DLP offers 360* protection. FileCloud helps in protecting data in compliance with ITAR.

End- to-End Encryption

FileCloud for ITAR offers encryption at rest and in transit using FIPS 140-2 validated cryptography models. The files are encrypted as they are uploaded to the system.
FileCloud for ITAR (Online) offers independent and extensive customer control over encryption keys using AWS Key Management in GovCloud, while our self-hosted option offers complete control over data and encryption keys.

Record Management

ITAR requires that records of transactions and information be maintained for five years from the expiration of the export license or other approval. In the case of an export license exemption, this would be from the date of the transaction. FileCloud for ITAR offers complete content lifecycle management with flexible retention and archival schedules to meet your ITAR record management requirements.

Access and Authentication

Securely access your enterprise data from anywhere using any device – without a VPN. FileCloud offers multiple ways to access your organization’s files securely: web browser, a sync client, a mapped virtual drive, and mobile apps. Authenticate with Active Directory, or create new accounts with FileCloud. 2FA, SAML-SSO, and Smart Card Authentications are supported across all clients (Web, Desktop, and Mobile apps). Set expiration on shared files and set granular file permissions. Revoke data access to reduce the risk in event of a data breach.

A Review of ITAR Features from FileCloud

FileCloud for ITAR security features complies with ITAR document security requirements with features including:
• Encryption at rest and in transit using FIPS 140-2
• Complete, independent control over your content- Own your data
• Supports NIST password standards
• Multi-factor authentication
• Smart, automatic classification of documents according to sensitivity
• Smart Data Leak Prevention
• Control access based on IP filters
• Realtime activity-Audit
• U.S.-based infrastructure operated by U.S. Citizens in the U.S.

Conclusion

Security is important to comply with ITAR compliance and achieving the same efficiency by migrating all file sharing needs to FileCloud is a good bet. FileCloud provides secure data transfer to defense contractors and other organizations.FileCloud also provides the necessary tools for high performance and productivity. The penalties for ITAR violations, both criminal and civil, are substantial. Criminal penalties may include fines of up to a million dollars per violation and 10 years’ imprisonment while civil fines can be as high as half a million dollars per violation. Failure to comply with ITAR may also damage an organization’s reputation and ability to conduct business. The State Department maintains publicly available records of all penalties and violations dating back to 1978. Organizations and individuals run the risk of being completely debarred from exporting defense-related services and items.

Choose the Right File Sharing Solution for ITAR Compliance, Click here

Understanding CMMC Compliance Using FileCloud

CMMC

This post was originally published on April 15, 2021 and updated to discuss CMMC 2.0 changes on April 13, 2022. 

What is CMMC?

CMMC is a certification standard used by the US Government to audit third-party compliance with NIST SP 800-171. DoD third-party organizations have been required to comply with NIST 800-171 since January 1, 2018. However, the U.S. Department of Defense (DoD) has struggled with a low rate of NIST 800-171 compliance across the Defense Industrial Base. 

CMMC was created in January 2020 to address that systemic issue of non-compliance by both primaries and their subs. Furthermore, CMMC was intended to fill a gap in 3rd-party auditing capabilities to support NIST 800-171 compliance requirements, which was not available prior. 

 The first iteration of CMMC (also referred to as CMMC 1.0) was designed with an “assessments framework” in mind. This framework was modeled on five levels of maturity, which are covered in detail below. This is the current operating level of CMMC compliance. CMMC 2.0 has been developed in response to an internal review following public commentary regarding the September 2020 “CMMC 1.0” interim rule.

Following the internal review, the DoD published an Advance Notice of Proposed Rulemaking (ANPRM) on November 17, 2021. The proposed changes comprise CMMC 2.0 and will take effect after the rulemaking process is completed (anywhere from 9 to 24 months from November 2021.) For more information on CMMC 2.0 requirements, check out our blog post.

However, since CMMC 1.0 is still in effect as an interim rule, here is everything you need to know about the requirements and how FileCloud can help meet them. (You can also download our CMMC white paper here.)

Why is CMMC important?

The Center for Strategic and International Studies estimates that the total global cost of cybercrime was is approaching $1 trillion, as of the survey conducted in 2020. The DoD is enforcing a risk-management approach to improve cybersecurity measures of third-party partners by asking them to obtain the Cybersecurity Maturity Model Certification (CMMC). This certification is designed to improve the protection of Controlled Unclassified Information (CUI) and Federal Contract information (FCI), and the certification applies to DoD contractors.

CMMC measures an organization’s approach to protect FCI and CUI. CUI is information that requires protection or audit controls according to federal law, regulations, and government policies. FCI is information provided by or generated by the government under a contract to develop or deliver a product or service to the government, not intended for public release.

Key Takeaways for CMMC

  • All companies conducting business with the DoD, including subcontractors, must be certified.
  • The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity.
  • Contractors will be required to be certified by a third-party auditor.
  • Certification levels of contractors will be made public, though details of specific findings will not be publicly accessible.
  • Contractors must clearly document practices and procedures with those requirements that already comply with CMMC practices or processes.

Five Levels of Maturity

Depending on your company and the business you conduct with the DoD will decide which level (1–5) you need.

  • Level 1 – Basic Cyber Hygiene: Includes basic cybersecurity suitable for small companies having a subset of universally accepted common practices. The processes at this level would include some basic performed cybersecurity practices. This level has 35 security controls that must be implemented successfully.
  • Level 2 – Intermediate Cyber Hygiene: Includes universally accepted cybersecurity best practices. Practices at this level should be documented, and access to CUI  will require multi-factor authentication. This level includes an additional 115 security controls on top of Level 1.
  • Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Processes at this level are maintained, and there is a comprehensive knowledge of cyber assets. This level requires an additional 91 security controls on top of those covered in Levels 1 and 2.
  • Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, properly resourced, and are improved regularly across the enterprise. In addition, the defensive responses operate at high speed and there is a knowledge of all cyber assets. This level has an additional 95 controls on top of the first three Levels.
  • Level 5 – Advanced / Progressive: Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at high speed. This level requires an additional 34 controls.

5 levels of CMMC

 

17 Domains of Security Requirements

The CMMC model consists of 17 domains, 14 of which are derived from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. System and Communication Protection
  17. System and Information Integrity

FileCloud identifies loopholes in critical security controls according to your desired CMMC maturity level for each of the 17 domains and creates clear instructions for both improving your security position and meeting CMMC requirements. We will go through several domains and let you know how FileCloud helps you comply.

Access Control – FileCloud supports integration with Active Directory, LDAP, and SSO. In addition, FileCloud integrates your Network Shares with NTFS permissions to provide you with better access control of the data your users are allowed to view, upload, download, share, sync, or manage. Within FileCloud you can create users and groups and assign permissions and policies to them to allow or prevent them from accessing your data. FileCloud also supports DLP and granular folder permissions.

Asset Management – FileCloud’s Centralized Device Management allows you to view all the devices that have access to FileCloud using our mobile and desktop clients. FileCloud also includes functionality for creating reports of these devices to aid you in creating your inventory report.

Audit and Accountability –FileCloud’s auditing capabilities enable you to review who, when, where, and what is involved each time FileCloud is accessed. FileCloud also supports SIEM (blah) integration. FileCloud’s data governance capabilities allow you to apply multiple retention rules to avoid the deletion of auditable records you want to store in FileCloud.

Awareness and Training –To complement your internal employee training, FileCloud provides you with extensive information about applying best security practices while using FileCloud.  FileCloud also offers end–user training.

Configuration Management- FileCloud contains multiple configuration capabilities including but not limited to centralized device management, content classification, DLP, global policies, specific device configuration policies, Customization, Data Governance, user password enforcement, private sharing permissions, granular folder level permissions, etc.

Identification and Authentication-Besides FileCloud’s proprietary user authentication, FileCloud supports integration with Active Directory, LDAP, and SSO. FileCloud also supports Duo Security integration and 2FA.

Incident Response-FileCloud’s data governance dashboard displays potential rule violations such as DLP violations or retention policy violations. FileCloud workflows enable you to automate report generation, device approval, and other tasks.

Maintenance- Using FileCloud workflows, administrators have the ability to perform automatic maintenance tasks within FileCloud, for example, deleting files after a specified amount of time or disabling users who have not accessed FileCloud in a specific amount of time. FileCloud also supports automatic audit log trimming and exporting to a location defined by the administrator.

Media Protection-FileCloud’s antivirus integration via ClamAV or ICAP protocol enables you to verify the integrity of files as they are uploaded. FileCloud’s DLP provides you with granular control over your data. FileCloud supports in–transit encryption via HTTPS/SSL.

Personnel Security-FileCloud’s smart classification and DLP enable you to classify your data based on DLP rules that deny or allow downloads or sharing.

Recovery- The FileCloud Server Backup tool creates backs up your data automatically.

Conclusion

For your organizations to be CMMC Compliant, they must implement encrypted file sharing solutions. The end-user is responsible for utilizing suitable FileCloud capabilities as well as managing and maintaining the environment where FileCloud is being hosted to ensure the CMMC requirements are being met.

FileCloud is the commercial of the shelf software solution that helps businesses securely share, manage, and govern enterprise content. FileCloud software provides the necessary capabilities for organizations to obtain CMMC compliance.

 

References

Accellion CMMC Compliance Guide. (n.d.). ACCELLION. Retrieved 2021, from https://www.accellion.com/sites/default/files/resources/wp-accellion-cmmc-compliance-guide.pdf

Carey, B. (2020, May 11). Prepare for CYBERSECURITY Maturity Model certification (cmmc). Retrieved April 06, 2021, from https://blog.rapid7.com/2020/04/15/preparing-for-the-cybersecurity-maturity-model-certification-cmmc-part-1-practice-and-process/

Center for Strategic and International Studies (CSIS) & www.mcafee.com. (2018, February). Economic Impact of Cybercrime— No Slowing Down. Retrieved April 6, 2021, from https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf

Cybersecurity Maturity Model Certification (CMMC) (Vol. 1). (2020). Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC.

DoD Cybersecurity Audits are Coming: Here’s how to prepare. (2021). Retrieved April 06, 2021, from https://www.sysarc.com/services/managed-security-services/cybersecurity-maturity-model-certification-cmmc-guide-for-dod-contractors/

 

 

 

 

 

 

Understanding CJIS Policies and Implementation using FileCloud

CJIS Security Policy entails information security requirements, guidelines, and agreements documenting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI). The Criminal Justice Information (CJIS) Security Policy provides a secure model of laws, standards, and elements of published and vetted policies for accomplishing the mission across the broad spectrum of the criminal justice and noncriminal justice communities.

The prime focus of the CJIS Security Policy is to implement the proper controls necessary to secure the full lifecycle of CJI, both at rest and in transit. It applies to a private entity, contractor, noncriminal justice agency representative, or member of a criminal justice entity that utilizes or has access to criminal justice services and information.

Because the magnitude of cyberattacks has increased over the years, CJIS has had to adapt. CJIS came up with a set of standards for organizations, cloud vendors for software as a service (SaaS), local agencies, and corporate networks, etc. These standards must be complied with by those parties to ensure best practices for wireless networks, remote access, data encryption, and multiple-step authentication.

Ground Rules of CJIS

The policies proposed by CJIS encompass best practices in wireless networking, remote access, data encryption, and multiple authentications. Some basic rules include:

  • A limit of 5 unsuccessful login attempts by a user accessing CJIS
  • Event logging various login activities, including password changes
  • Weekly audit reviews
  • Active account management moderation
  • Session lock after 30 minutes of inactivity
  • Access restriction based on physical location, job assignment, time of day, and network address

 

Policy and Implementation Using FileCloud

We will now go through a high-level overview of the 13 policy areas of the CJIS Security Policy v5.3 and how FileCloud will help you implement these

Policy Area 1—Information Exchange Agreements

Organizations dealing with CJI must have signed written agreements documenting the full length of their interaction and the relevant security policies and procedures in place between them to ensure appropriate safeguards. CJIS policy incorporates procedures on how information is handled and what should be in user agreements. Companies and agencies that use CJI must include specific processes and parameters in their information exchange agreements, including:

  • Audits
  • Dissemination
  • Hit confirmation
  • Logging
  • Quality assurance
  • Pre-employment screening
  • Security
  • Timeliness
  • Training
  • Use of systems
  • Validation

FileCloud understands this is a shared responsibility between the parties and has the provision to implement the information exchange policy in the enterprise edition.

Policy Area 2—Security Awareness Training

Basic security awareness training should be given in the initial six months and biennially for all personnel who have access to CJI. Records of individual basic security awareness training and specific information system security training shall be documented and updated. This is the customer’s responsibility to make sure the training is made available to all the personnel having access to the information and keep the training documents up to date.

Policy Area 3—Incident Response

Agencies must incorporate operational incident handling capability for malicious computer attacks against agency information systems to include adequate preparation, detection, analysis, containment, recovery, and user response activities. Agencies must also track, document, and report incidents to appropriate officials. Incident-related information can be obtained from different sources including audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The agency should incorporate the experience from ongoing incident handling activities into the incident response procedures and implement the procedures accordingly.

Policy Area 4—Auditing and Accountability

Agencies must provide for the ability to generate audit records of their systems for defined events. FileCloud Server has extensive auditing support and every operation in FileCloud Server is logged. By providing options to record every action with What, When, Who, and How attributes, FileCloud gives customers the best possible audit data to satisfy CJIS compliance. FileCloud has the capability to record logs of all events, Metadata, timestamps, the outcome of events. FileCloud can also help you create audit reports. FileCloud also has the capability to retain these audit reports/logs for a year or until the information is no longer needed.

Policy Area 5—Access Control

One of the more complex Policy Areas, an Agency’s IT organization, will implement multiple mechanisms addressing login management systems, remote access, virtual private network (VPN) solutions certified to the FIPS 140-2 standard and enact policies and controls for Wi-Fi, Bluetooth and cellular devices.

FileCloud can be used to implement access control policies (identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (access control lists, access control matrices, cryptography). It can enforce a limit of no more than 5 consecutive invalid access attempts by a user, initiate session lock after 30 min of inactivity, automated mechanisms to facilitate the monitoring and control of remote access methods.

Policy Area 6 — Identification and Authentication

Agencies must uniquely identify users and processes acting on behalf of users.

Admins have the ability to set permissions for each individual user. Access permissions are generally enforced uniformly regardless of location and access method (web browser, FileCloud drive, WebDAV, FileCloud sync, mobile/tablet app). Admins can also set an expiration date for a user, after which the user permissions will expire and will no longer have access to the FileCloud system. Admin can also disable the user for a certain period of time. FileCloud password policy management allows admins to set minimum password length for user accounts and account lockout after failed logins. Account lockout prevents brute force password attacks by immediately locking out the access point after multiple failed login attempts.

Most security threats today are a result of compromised user credentials. With FileCloud’s two-factor authentication, users can require an extra 2FA code as part of the user authentication process. The additional login step requires users to verify their identity using a 2FA code sent via email creating a double-check for every authentication.

Policy Area 7 — Configuration Management

The goal is to allow only qualified and authorized individuals’ access to information system components for purposes of initiating changes, including upgrades and modifications. FileCloud system administrators can configure and view the complete list of shares created by users and locked files and folders. The User Shares Report includes information such as user name, location, expiration, and share type (private or public). The User Locks Report provides a list of files locked by users. FileCloud monitors all user logins and activities including deletion, uploads, and downloads. In addition, FileCloud provides tools to filter activities using a date range, user names, and text search.

Policy Area 8 — Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting, and storing media.

With FileCloud, you can encrypt Managed Disk Storage for compliance and security reasons. If a FIPS-enabled FileCloud license is installed, there is a new option in the Admin Portal to enable FileCloud to run in FIPS mode in FileCloud Server version 19.1 and later.

Policy Area 9 — Physical Protection

Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures.

FileCloud protects the confidentiality and integrity of your files in transit and at rest.

  • AES 256-bit encryption to store files at rest.
  • SSL/TLS secure tunnel for file transmission.
  • Site-specific, customer-managed encryption keys in a multi-tenant setup. Each tenant gets their own set of encryption keys.

 Policy Area 10—Systems and Communications Protection and Information Integrity

Communications safeguards must be employed to ensure the security and integrity of data across the network both in motion and at rest.

FileCloud security includes 256-bit AES SSL encryption at Rest, Active Directory integration, two-factor authentication, granular user and file-sharing permissions, client application security policies, anti-virus scanning, unlimited file versioning, recycle bin, file locking, endpoint device protection, and comprehensive CJIS compliant audit trail.

Policy Area 11 — Formal Audits

Formal audits are conducted to ensure compliance with applicable statutes, regulations, and policies. These audits will be executed by either the FBI CJIS Audit Unit (CAU) or the state’s lead CJIS Systems Agency (CSA).

Policy Area 12 — Personnel Security

Agencies must provide security screenings consisting of state of residence and national fingerprint-based record checks for all personnel with either physical or logical access to unencrypted CJI. This applies to agency personnel, vendors, and contractors.

Policy Area 13 — Mobile Devices

Long overdue; this section provides detailed guidance regarding employing mobile devices, e.g. cellular-enabled smartphones and tablets. Here you’ll find minimum functions required to manage mobile devices and an introduction to the concept of compensating controls in order to bridge the inherent technical limitations of some devices.

Conclusion

FileCloud Server is the commercial of the shelf software solution that helps businesses securely share, manage, and govern enterprise content. FileCloudsoftware provides the necessary capabilities for organizations to obtain compliance with CJIS. The enduser is responsible for utilizing suitable FileCloud capabilities as well as managing and maintaining the environment where FileCloud is being hosted to ensure CJIS’s requirements are being met. FileCloud aids with your CJIS compliance efforts under the shared responsibility model.

 

References

https://itlaw.wikia.org/wiki/Criminal_Justice_Information_Services_Security_Policy

Finding a Safe Place for Your Data and Software

Data Security

 

Your organization runs on data and software. But this whole IT environment needs to live somewhere. Preferably a safe place that no unwanted people can access.

What options do you have? How should you choose where to host your data and your software?

In this article, we’ll explore these topics in-depth, hopefully giving you that bit of additional information that you need to choose a safe place for your IT environment.

 

Where can you host your software/data?

The traditional way is to host it on your own servers, which is called on-premise hosting.

It’s private by nature because the whole infrastructure is dedicated only to your company. The software literally lives on your own machines, along with the data and all of your intellectual property. Servers don’t need to actually be located at your headquarters, they’ll probably be in a dedicated data center.

The “new” (it’s not that new and pretty much standard by now) way to manage your IT resources is cloud hosting.

It’s public by default because it’s provided by a company like Amazon or Microsoft, whose insane server power is shared by all of their customers. But it can be private because cloud providers offer the option to get a share of their servers dedicated only to your company.

Finally, you can also mix the different options, and then you get hybrid hosting. There are a lot of ways to organize a hybrid solution, with different combinations of hardware and software. Choosing one cloud provider doesn’t mean you can only use that one, you can also combine different services from multiple providers.

How much control do you need?

When it comes to hosting your software and data, available server options generally fall into these categories:

  • Control the hardware, control the software
  • Control the hardware, outsource the software
  • Outsource the hardware, control the software
  • Outsource the hardware, outsource the software

Control the hardware and software

If you need to control and customize the performance of your physical servers, as well as the software that runs them, the go-to choice is on-premise hosting.
Control the hardware, outsource the software

What if you need to control the hardware, but you want the same workload management experience that’s offered by big cloud providers? There are ways to run, for example, AWS services on your own on-premise servers. The offerings in this area vary based on the provider.

Outsource the hardware, control the software

Your server workloads are pretty typical, you don’t need custom hardware for your IT environment – but you want to use, for example, FileCloud to share and manage your organization’s data. You can easily run FileCloud on AWS, as well as other services that you might need.

Outsource the hardware and software

This is probably the most popular solution at the moment for non-enterprise companies. You just spin up a server instance at your favorite cloud provider and manage it using the software tools they provide. Use it to host your data, your ERP system, or your SaaS, without worrying about the server infrastructure.

Comparing hosting options – On-Prem vs Cloud vs Hybrid

On-premise

So far we know that on-premise hosting is private (dedicated only to your company), with your IT environment living on your own physical servers.

But when should you use on-premise hosting? Modern tech companies usually start with the cloud, and move on to on-prem.

Take the case of Instagram, they migrated to Facebook’s infrastructure after FB bought them in 2012.

(but then they also branched out to different data centers around the world to ensure that all of their users have a good experience, so they’re definitely not on-prem only)

Companies and enterprises that have been around for decades tend to go from on-prem to adding a bit of cloud, or migrating to the cloud completely.

Like when AdvancedMD moved to the cloud. AdvancedMD is a healthcare-related provider of digital services that’s been around since 1999, which makes this a great example. The most common argument for on-premise hosting is that it’s the most secure option for highly sensitive data. AdvancedMD runs on healthcare data, which is extremely sensitive, and yet nothing tragic happened when they migrated to the cloud.

As AdvancedMD proves, the issue of security is not that important anymore. Both on-premise and cloud hosting can safely store sensitive data.

So the choice between on-prem and cloud is more about control and/or customization.

For the highest amount of control, and the ability to literally customize every part of your infrastructure, on-prem is the right option. Long-term cost management is easier, however, it takes a large initial cost to build your on-prem hosting from the ground up.

On-prem is also a good option when you have high demands:

  • You’re constantly moving large amounts of data in and out of your servers (cloud providers can charge fees for moving data outside of your cloud),
  • You need the lowest latency possible.

One problem with on-prem is that it’s harder to scale, but you can use a cloud provider to mitigate this issue.

Cloud

You’ve probably heard this, but – there is no cloud, it’s always somebody’s server. It’s a popular saying, but it carries a hidden warning about your data being on somebody else’s server.

How big is the risk that cloud providers will mismanage your data, or give someone else access to it? Unless you’re handing out access credentials to your cloud to everyone you meet, the risk is actually very small.

There is no way cloud would’ve become the new standard for hosting if it were risky. Providers know this, and they’ve put extreme amounts of money into making sure that your resources are safe with them.

Another popular issue that people bring up when talking about the cloud is compliance with standards. But it turns out that cloud providers are surprisingly compliant with cross-industry IT standards, so this issue depends on your unique case.

There is a different, much more real, risk associated with the cloud – cost management.

Sure, at the start you pay much less compared to an on-premise solution. As you keep going, it’s super easy to spin up new services from a cloud provider, especially if you have a huge IT budget.

This is a benefit because you can scale up extremely easily. It’s also a problem because you might end up paying for a lot of unnecessary services.

So if you don’t want to overspend, you need to be very careful about managing your cloud infrastructure.

Choosing cloud isn’t a problem of compliance nor security, but rather a problem of your unique workloads. As we learned above, on-premise can be better when you need to move huge amounts of data regularly, or you need minimal latency.

For example, if your servers are just supposed to do the standard job of serving a website to people online, the cloud is the logical solution. But if you’re building a complex web application that performs difficult computations on large amounts of data, you’ll probably be better off with an on-prem, or a hybrid solution.

Hybrid

And so we arrive at the most common option, hybrid hosting.

The complex demands of enterprise IT environments make it almost impossible to just pick one hosting option and roll with it for eternity.

There are too many considerations:

  • Integrating with legacy software,
  • Speed vs reliability,
  • Location of data,
  • Latency…

… and so on, and different parts of a typical IT environment require varying approaches. For example, a cloud provider might work for your in-house data store, but you still need on-prem servers to run particular applications or legacy software.

Hybrid hosting is a way to address all of this complexity because you can combine multiple options to create the infrastructure that meets your requirements to the letter.

Summary

All in all, there is no silver bullet when it comes to hosting your data and software. The safest place for your IT environment might be at a cloud provider, or on your own on-premise servers. Or both.

It depends on what you need, and it turns out that security and compliance are not the biggest issues when you’re thinking about migrating to the cloud. It’s more about the type of data workloads that you have, and the requirements that result from this.

Hope this article was helpful, thank you for reading!

All You Need to Know About Data Subject Access Requests (DSARs)

What is DSAR?

Data Subject Access Requests (DSARs) are a common requirement in privacy regulations including the CCPA and GDPR. These regulations provide individuals with the right to request a copy of all information a company has about them, make changes to the information, and even demand its deletion.

An individual who makes a DSAR is entitled to receive a confirmation that you are processing their personal data, a copy of that data, your privacy notice, and supplementary information.DSARs aren’t new. Organizations and governments have used them for years. But recent consumer data privacy regulations introduced several changes that made it easier for individuals to make requests. The changes go a long way toward transparency in data processing, but they create some challenges for organizations.

DSARs are not limited to customers; anyone whose personal data you collect — including employees and contractors — has the right to submit one.

Types of Data Subject Requests

DSARs can be grouped into four categories, according to the rights involved.

  • Access Requests

The Right of Access

  • Portability  Request

The Right to Portability

  • Change Request

Right to Rectification

Right to Erase

Right to Request Delete

  • Objection Request

Right to Restriction of Processing

Right to Object Data Processing

Right to Opt-out

Right to Object to Automated Decision Making and Profiling

What Should be in a DSAR Response?

Individuals do not need a reason to submit a DSAR. Subjects can request to see their data at any time. Organizations may only ask questions that verify the subject’s identity and help them locate the requested information.

Steps in DSAR

  1. Get Request
  2. Request Logging
  3.  Identity Verification
  4.  Prioritization
  5.  Data Collection
  6.  Validation
  7.  Communication

Get Request

Unless you give your customers an easy way to submit DSARs, they are likely to use the first company email address they find. It’s smart to have an online DSAR form since it helps ensure that requests go to the correct place and contain all the required information.

 

Request Logging

Assign responsibility for creating and updating a record of each DSAR to an individual or department. You might have them develop a spreadsheet that shows the date of the request, its status, and other essential information for tracking progress.

 

Identity Verification

Verify the identity of the person making the request before responding. You may not ask for protected data you don’t already have, but you can ask the requester to provide personal information you do have to authenticate the request. The data you request for verification must be proportionate to the request.

Prioritization

Process the requests according to factors like complexity or degree of legal or business risk to ensure that work is prioritized properly and ensure that response deadlines are met.

Data Collection

Collect all records containing the individual’s data, along with the following supplementary documentation

  1. Your privacy notice
  2. A statement of the purpose for processing private data
  3. The categories of personal data collected
  4. The recipients (or categories of recipients) with whom you shared the personal data
  5. How long you hold personal data
  6. Advice on any additional rights the user has, such as the right to object to processing or the right to request erasure or rectification or to lodge a complaint with a supervisory authority
  7. Where you obtained the data, if it was not directly from the subject
  8. The existence of any automated decision-making that took place using the data
  9. Security measures you use when transferring data to a third part

Validation

Review each response for completeness and accuracy. You may decide to require review by legal counsel before sending the response to the requester.

Communication

Share the response securely and confidentially with the requester. Remember that you must respond within the timeframe defined by the applicable regulation which is 30 days of the request received.

The Challenge

The challenge, however, is finding the personal information you’re supposed to turn over. There’s been a massive growth in data collection and proliferation over the last decade, but organizations tend to pay little attention to data governance and management. Basically, data is everywhere, but most organizations don’t have it inventoried.

FileCloud Aurora – All About DRM Capabilities

Introduction

In November 2020, FileCloud released update 20.2 – a complete rehaul of our Sync, Mobile and browser UI and functionalities. We at FileCloud have been working on this for a very, very long time, and so we’re incredibly proud to present to you: FileCloud Aurora.

Today, we’re going to be covering one of the most important security functions that Aurora introduces: DRM Capabilities.

For a comprehensive overview of all of FileCloud Aurora’s new features, please visit our previous blog post Introducing FileCloud Aurora!.

Secure Document Viewer

If the new UI was the biggest change in terms of appearance, FileCloud Aurora’s new Digital Rights Management (DRM) capabilities are unquestionably the most significant change in terms of functionality. 

Your data security has always been FileCloud’s number one priority. We’ve got all the files you’re storing with us safe and sound, but what happens when you need to send out or distribute important documents, such as external contracts, reports, or training materials? Our new DRM solution ensures that nothing you send out gets used in a malicious or abusive manner, even after it’s left your system and entered others. 

Our secure document viewer helps you protect confidential files from unsolicited viewing with FileCloud’s restricted viewing mode. Show only selected parts of the document and hide the rest of it — or choose to reveal sections only as the user scrolls, minimizing the risk of over-the-shoulder compromisation.

For more details, read more about the FileCloud DRM solution here

Screenshot Protection

Utilize the Screenshot Protection feature to prevent recipients from taking screenshots of secure information and documents.

This is an option that can be selected when you create your DRM Document or Document Container, and prevents any recipients from taking screenshots of the document. Not only that, the recipient won’t be able to share screens or screen-record to share the documents either, nullifying any chance of your documents being distributed without your permission or consent.

Document Container 

Easily and securely export multiple documents in an encrypted document container (AES 256 encryption), and share it via FileCloud or third party emails. 

DRM Protection

Support for Multiple File Formats

Protect your Microsoft Office (Word, Powerpoint, Excel), PDF, and image (jpeg, png) files, and include multiple types of files in a single encrypted document container! FileCloud’s DRM solution doesn’t discriminate, ensuring all your most regularly used file, folder and document formats can all be easily handled by our containers and viewer. 

Anytime Restriction of Access to Your Files

Remove the risk of accidentally transmitting confidential files and enforce your policy controls even after distribution. You can revoke file access or change view options (screenshot protection, secure view and max account) anytime, via the FileCloud portal.

Thanks for Reading!

We at FileCloud thank you for being a part of our journey to creating the most revolutionary user interface and experience on the market. We’d love to know what you think about these changes. For full information about all these changes, release notes can be found on our website here

We hope that you’re as excited about these new changes as we are. Stay safe, and happy sharing, everyone!