Compliance Center

The Compliance Center enables you to check which regulatory requirements your system meets and which it fails to meet. It also provides information explaining why you haven't met certain requirements, and enables you to configure compliance settings.

The Compliance Center

To open the Compliance Center, in the navigation panel, click Compliance Center.

The Overview tab

The Compliance Center opens to the Overview tab. This tab lists your enabled configurations and recent compliance events. 

In the image below, the box under Enabled Configurations displays an icon for each compliance and a slider that currently indicates that it is enabled. The box for each compliance also indicates the number of total compliance rules that are being evaluated and how many of them failed the last evaluation.

Filtering Events

You can click filters above the Recent Events list to only display violation or information events, or to only display events for one compliance. In the following image, the filters are set so that only ITAR events that are informational appear.

Compliance Tabs

There are currently compliance tabs for ITAR, HIPAA, and GDPR. Each tab lists the rules for the particular regulation and whether the system is compliant with each rule or has issues.
You can enable or disable each rule, change the settings that are evaluated, and manually mark a rule as compliant in each tab.

Hover over the description under FileCloud Configuration for more details about how to configure the rule's setting. For even more information, click the row's information icon.
If Status indicates that there are issues, click the warning icon to see details of the issue.

How to set up and check compliance

For each type of compliance that you want to manage, follow these steps to enable and configure compliance checking and review your compliance status.

1) Enable compliance checking


  1. In the Admin portal's navigation panel, click Compliance Center.
    The Compliance Center opens to the Overview tab.
  2. Either:
    Under Enabled Configurations, click the slider for a compliance.

    Or:
    Click the tab for a compliance, and click the slider at the top of the screen.

After checking has been enabled for a specific compliance, you can enable or disable checking for each of its rules by toggling the slider to the rule's right. Notice that compliance status is checked as soon as you enable the rule.



Some rules prompt you to enter settings when you enable them. See the next procedure.

When you enable certain rules, a dialog box opens and prompts to enter a setting before the rule is enabled. You are not required to enter the setting, but if you do not Status indicates there are issues.

2) Configure Compliance Settings

You can configure the compliance settings directly from the Compliance Center for any rules with an Edit icon under Actions. When you enable the rule, you are prompted to enter settings, but you are not required to enter them.


After you configure the setting, you can change it by clicking the edit icon in the row for the rule:


For many rules, you must navigate to other pages in FileCloud and configure settings. The compliance tool will verify that the settings are configured correctly when you enable the rule.

For instructions on how to configure the settings, click the Information icon in the row for the rule.

Some rules only need your verification that you are complying with them. Simply enable the rule to confirm that you have complied. 

You have the option of bypassing FileCloud's compliance checking for most rules, so that whether or not the rule would be considered compliant by FileCloud's verification process, Status will display BYPASSED with a green check. 
Note that you cannot bypass rules that only require you to enable them to to make them compliant, as there is no validation to bypass.

To bypass a rule, enable it, then click the Information icon, and check Bypass check for this rule and mark as passed.

3) Run compliance checks

FileCloud automatically checks a rule for compliance when it is enabled and rechecks compliance for all rules in once per day. If you make changes in your system or want to make sure you have the most recent check, you can manually run a compliance check.

To manually run a compliance check, in the tab for the compliance, click Refresh All.

4) Review compliance status

Review your compliance status regularly to make sure all of your rules remain compliant.

You can view a summary of the number of rules you have enabled for checking, and how many of them failed or were bypassed on the Overview tab or at the top of the compliance tab.



On a compliance tab, you can review whether each enabled rule's compliance check was OK, had issues, or was bypassed by viewing its Status.

If the Status column for a rule displays Issues and an error icon, click on the status to view information about the problem.

Getting more details on how to comply

For basic information on how to comply with a rule, hover over the description under FileCloud Configuration. For more specific instructions, click the Information icon in the row for the rule. To see the text of the rule in the regulation document, click the rule number.

HIPAA, ITAR, and GDPR compliance rules and validation

Rule (click to see text)DescriptionSteps for complyingValidation
164.304 DefinitionsIdentify which files have electronically protected health information (ePHI).

In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies ePHI files.

(To carry out compliance, you must use smart classification to apply the metadata tag to ePHI files.)

If the metadata set exists and is enabled, status is OK; if not, status is Issues.
164.306 Security standards: General rulesAllow at least one user access to the Compliance system.
  1.  In the Admin portal, go to Users and promote at least one user to an Admin role.
  2. Then, go to Admins and create a role with access to the Compliance Center.
  3. In Admins, add at least one Admin user to the role with access to the Compliance Center.
If one or more Admin users have access to the Compliance Center, status is OK; if not, status is Issues.
164.308 Administrative safeguards.
(a)(1)(ii)(A & B)
Confirm that all the FileCloud Compliance HIPAA rules are successful.Enable this rule once all the other HIPAA rules are compliant.If all rules are implemented and status of all rules is OK then the status of this rule OK; if not, status is Issues.
164.308 Administrative safeguards.
(a)(1)(ii)(D)
Implement a procedure to regularly review system activity records.In Settings > Admin, check Send Admin Governance Report Emails.If the Send Admin Governance Report Emails setting is enabled, status is OK; if not, status is Issues.
164.308 Administrative safeguards.(a)(3)(ii)(A)Allow users to login to access FileCloud content based on location or IP address.Click the Edit button and select a DLP rule that blocks users from logging in from outside locations.If the DLP rule exists and is enabled and GeoIP is not disabled, status is OK; otherwise, status is Issues.
164.308 Administrative safeguards.(a)(5)(ii)(B)Configure Anti-Virus protection against malicious file uploads.
  1. Go to Settings > Third Party Integration > Anti-Virus.
  2. Configure an Anti-Virus.
If an Anti-Virus is configured, status is OK; if not, status is Issues.
164.308 Administrative safeguards.(a)(5)(ii)(C)Monitor log-in attempts.
  1. Go to Settings > Admin.
  2. Set Audit Logging Level to REQUEST or FULL.
If Audit Logging Level is REQUEST or FULL status is OK; if Audit Logging Level is OFF, status is Issues.
164.308 Administrative safeguards.(a)(5)(ii)(D)Set up password management procedures.
  1. Go to Settings > Misc > Password.
  2. Configure the settings as follows:
    • Set Password Length to 8 or more.
    • Check Enable Strong Passwords.
    • Check Disallow Commonly Used Passwords.
    • Set User Password Expires In Days to a value greater than 0.
    • Set Number of Previous Passwords that cannot be reused to a value greater than 0.
    • Set Reset password attempt interval to a value greater than 0.
If the password settings are configured as indicated, status is OK; if not, status is Issues.
164.308 Administrative safeguards.(a)(6)(ii)Confirm all (HIPAA) violations can be exported from the Compliance Center.Enable this rule as confirmation that all FileCloud Compliance HIPAA violations can be exported. None
164.308 Administrative safeguards.(a)(7)(i)Implement a contingency plan in case systems containing ePHI are damaged.

Enable this rule as confirmation that you have done the following:

  1. Go to Settings > Misc > General.
  2. Disable DB Backup option should be disabled (by default it is disabled).
  3. Set DB Backup Interval to daily.
  4. Backup of the managed storage location should be planned and maintained by your team.
None
164.308 Administrative safeguards.(a)(7)(ii)(B)Establish procedures to restore loss of data.

Enable this rule as confirmation that admins understand the procedures to restore data given at Backing Up and Restoring FileCloud Server.

None
164.308 Administrative safeguards.(a)(7)(ii)(C)Establish an emergency mode operation plan.Enable this rule as confirmation that admins understand that they can configure a firewall proxy rule to prevent access to FileCloud to protect ePHI.None
164.312 Technical safeguards.(a)(1)Implement policies and procedures to only allow access to ePHI to people and programs with access rights.To prevent data from being shared with unauthorized users:
  1. For each policy, go to Settings > Policies and click the General tab. Set Share Mode to either Allow Private Shares Only or Shares Not Allowed.
  2. Remove any existing public shares, or change them to private.
If Share Mode is Allow All Shares or any public shares exist, status is Issues.
164.312 Technical safeguards.(a)(2)(i)Assign a unique name and/or number to each user.Enable this rule as a confirmation that all users have unique usernames.None
164.312 Technical safeguards.(a)(2)(iii)Terminate sessions after a certain amount of time automatically.To confirm automatic logoff of sessions:
  • Go to Settings > Server, and set Session Timeout to a value greater than 0.
If Session Timeout is set to 0 or empty, status is Issues.
164.312 Technical safeguards.(a)(2)(iv)Implement encryption and decryption of ePHI.To set up ePHI encryption:
  1. Configure storage encryption. See Setting Up Managed Storage Encryption.
  2. Go to Settings > Storage > My Files and click Manage next to Encryption; then enable encryption.
  3. Encrypt all existing files.
If storage is not fully encrypted, or any existing files are not fully encrypted, status is Issues.
164.312 Technical safeguards.(b)Set up audit controls.To implement audit controls:
  • Go to Settings > Admin, and configure that following:
    • Audit Logging Level - Set to to REQUEST or FULL.
    • Auto Archive Audit Database - Check.
    • Auto Archive Audit Records After (in days) - Enter a value.
    • Storage Path For Archived Audit Records - Enter a valid path.
If any of the audit settings is not set as specified, status is Issues.
164.312 Technical safeguards.(c)(1)Protect ePHI files from destruction.To protect ePHI files and folders from deletion:
  • Click the Edit button, and select a retention policy to protect ePHI files and folders from deletion based on metadata.
If the retention policy exists and is enabled, status is OK; if not, or if modifications to the retention policy allow file or folder deletion, status is Issues.
164.312 Technical safeguards.(d)Verify user identity of people seeking access to ePHI.To confirm that all users have individual FileCloud user accounts, enable this rule. None
164.312 Technical safeguards.(e)(1)Guard against unauthorized access of ePHI that is being transmitted.To guard against unauthorized access to ePHI:
  1. Click the Edit button, and select a DLP rule that blocks public shares.
  2. Change any existing public shares to private.
If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.
164.312 Technical safeguards.(e)(2)(i)Ensure that transmitted ePHI is not modified.To confirm that users are educated about sharing permissions and folder level permissions, enable this rule.None
164.316 Policies and procedures and documentation requirements.(b)(2)(i)Retain files for 6 years.To retain files for 6 years:

  • Click the Edit button, and select a retention policy to retain files for 6 years based on metadata.
    (The selected retention policy must have it's expiry set to 2192 days (6 years with 2 leap years) and must not renew on expiry.)
If the retention policy exists and is enabled, status is OK; if not, status is Issues.
164.316 Policies and procedures and documentation requirements.(b)(2)(ii)Make documentation available and accessible.To confirm that Admins and users have access to support documentation for all features, enable this rule.None
164.316 Policies and procedures and documentation requirements.(b)(2)(iii)Maintain updated documentation.To ensure the system is at the latest version, go to Upgrade screen in Admin and ensure there are no upgrades available

If the system is not upgraded to the latest available version, then status is Issues.

164.404 Notification to individuals. (b)Create timely notifications in case of breaches.To confirm that admins can use Audit logs, Alerts and Violation reports to generate breach notifications, enable this rule. None
164.502 Uses and disclosures of protected health information: General rules.(a)(1)Allow users to use and disclose ePHI according to regulations.To prevent data from being shared with non-associates without proper permission:

  1. Go to Settings > Policies, and edit each policy.
    1. On the General tab, set Share Mode to either Allow Private Shares Only or Shares Not Allowed.
    2. Remove any existing public shares or change them to private.

If Share Mode is Allow All Shares or any public shares exist, status is Issues.

164.504 Uses and disclosures: Organizational requirements.(e)(1)Business associates must comply with standards.

To confirm that users who have access to ePHI are educated about sharing permissions, enable this rule. 

None
164.504 Uses and disclosures: Organizational requirements.(e)(2)(ii)(J)At the termination of a contract, all info shared with business associate should be destroyed or returned.To confirm return or destruction of ePHI at the termination of contracts:
  • Go to Settings > Misc > Share and configure these settings:
    • Default Share Expiry in Days - Set to a value greater than 0.
    • Remove Expired Shares - Check.
    • Delete Files from Expired Shares - Check.

If all the settings are as specified, status is OK; if not, status is Issues.

164.508 Uses and disclosures for which an authorization is required.(a)Uses of ePHI requiring authorization.To implement authorization for use and disclosures of ePHI:
  • Click the Edit button, and select a DLP rule that restricts sharing.
If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.
164.522 Rights to request privacy protection for protected health information. (a)(1)Right of individual to request restriction of disclosure of their ePHI.To implement the right of an individual to request restriction of uses and disclosures of ePHI:
  1. Go to Settings > Misc > General.
  2. If Disable Locking is checked, uncheck it, and save.
If Disable Locking is unchecked, status is OK; if not, status is Issues.
164.528 Accounting of disclosures of protected health information.Right of an individual to receive records of disclosures of PHI.To confirm that admins understand how to use audit logs and reports to generate an account of disclosures of protected health information, enable this rule.None
Rule (click to see text)DescriptionSteps for complyingValidation
120.6Identify which documents are defense articles.

In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies defense articles.

(To carry out compliance, you must use smart classification to apply the metadata tag to defense articles.)

If the metadata set exists and is enabled, status is OK; if not, status is Issues.
120.10Identify which files contain technical data.

In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies technical data.

(To carry out compliance, you must use smart classification to apply the metadata tag to technical data.)

If the metadata set exists and is enabled, status is OK; If not, status is Issues.
120.13Only allow access to the system from within the US.In the Compliance Center, click the Edit button for the rule, and select a DLP rule that blocks users from logging in from outside locations. Only DLP rules for the LOGIN action are available for selection.If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow log in from outside the US, status is Issues.
120.15Only allow US residents to access the system.Enabling the rule to confirm that your system checks if all users are US residents is all that is necessary to pass the compliance check.None
120.17Do not permit public sharing.
  1. In the Compliance Center, click the Edit button for the rule, and select a DLP rule that blocks public shares. Only DLP rules for the SHARE action are available for selection.
  2. Change any existing public shares to private.
If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.
120.25Allow at least one user access to the Compliance system.
  1.  In the Admin portal, go to Users and promote at least one user to an Admin role.
  2. Then, go to Admins and create a role with access to the Compliance Center.
  3. In Admins, add at least one Admin user to the role with access to the Compliance Center.

If one or more Admin users have access to the Compliance Center, status is OK; if not, status is Issues.

120.50Prevent unauthorized access to data by non-US residents.Install FileCloud with an enterprise license or a license that includes a Digital Rights Management (DRM) component.
If a proper license is installed, status is OK; if not, status is Issues.
120.54(2)(3)Prevent data from being shared with non-US entities. Remove any existing public shares or change them to private.If any public shares exist, status is Issues.
120.54(5)Confirm that data is only transferred between US entities.
  1. In the Admin portal, go to Settings > Server > Server URL. Use HTTPS for the Server URL.
  2. Configure storage encryption. See Setting up Managed Storage Encryption.
  3. Go to Settings > Storage > MyFiles and enable Encryption.
  4. Encrypt all existing files.
If HTTPS is not used, storage is not fully encrypted, or any existing files are not fully encrypted, status is Issues.
120.55Keep decryption methods secure.Enabling the rule to confirm that decryption keys are kept confidential in your system is all that is necessary to pass the compliance check.None.
123.1Ensure that proper permission is given if data is shared with non-US entities
  1. In the Admin portal, go to Settings > Policies > General > Share Mode, and for Set Share Mode in all policies choose either Allow Private Shares Only or Shares Not Allowed.
  2. Remove any existing public shares or change them to private.

If Set Share Mode is Allow All Shares or any public shares exist, status is Issues.

123.26Maintain records of all data shared with non-US entitiesIn the Admin portal, go to Settings > Admin and set the Audit Logging Level to FULL.If Audit Logging Level is set to OFF or REQUEST, status is Issues.
126.1Deny access to the system by prohibited countries

In the row for the rule in the Compliance Center, click the Edit button and select a DLP rule that blocks users from logging in from those countries.


Only DLP rules for the LOGIN action are available for selection.
If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow log in from those countries, status is Issues.
127.1Confirm that reports of violations of compliance rules can be exported.Enabling the rule to confirm that there is functionality to export reports of compliance rule violations from this page is all that is necessary to pass the compliance check.None
Rule (click to see text)DescriptionSteps for complyingValidation
Art 5Principles for processing personal data.

To set up data protection, customize Terms of Service:

  1. Go to Customization > TOS
  2. Set up a TOS that is suitable for your organization. 
If the default TOS is not modified then status is Issues.
Art. 6 & 7Lawfulness of processing

To confirm lawfulness of processing and conditions for consent:

  1. For each policy:
    1. Go to Settings > Policies.
    2. Open the policy for editing.
    3. In the General tab, set Enable Privacy Settings to YES, and save.
  2. After you have completed this configuration for each policy:
    1. Go to Settings > Misc > Privacy.
    2. Set Force users to accept TOS when changed to YES.
    3. Check Show TOS for every login.
If the settings are set as specified, status is OK; if not, status is Issues.
Art. 12Rights of data subject - transparent information

To maintain transparent information and communication:

  • Go to Settings > Misc > General, and uncheck Disable Action Panel if it is checked. 
If Disable Action Panel is unchecked, status is OK; if not, status is Issues.
Art. 13Rights of data subject - information about collecting of personal dataTo confirm that Terms of Service indicate where personal data are collected about the data subject, enable this rule. None
Art. 17Rights of data subject - right to be forgotten

To set up the right to be forgotten:

  1. Go to Settings > Misc > Privacy.
  2. Set up Anonymous User Consent Dialog Text with information that provides rights of the data subject.
  3. If a user requests to be forgotten, anonymize the data. 

Also see Anonymizing User Data.

If the settings are configured as specified, status is OK; if not, status is Issues.
Art. 20Rights of data subject - right to data portability

To confirm the right to data portability, ensure the following options work in the Admin portal, and then enable this rule.

  • Exporting a user's file.
    1. In the navigation pane, click Users.
    2. Edit a user.
    3. In the User Details dialog box, click Manage Files. and then click My Files.
    4. Click Download as Zip for a file, and confirm that the zip download works.
  • Exporting audit log records.
    1. In the navigation pane, click Audit.
    2. In the upper-right corner of the screen, click Manage.
    3. In the Manage Audit Logs dialog box, enter a Start Date and an End Date.
    4. Click Export, and confirm that the file is exported correctly.
None.
Art. 21Rights of data subject - right to object

To confirm users have right to object:

  • For each policy:
    1. Go to Settings > Policies.
    2. Open the policy for editing.
    3. In the General tab, set Enable Privacy Settings to Yes.

After you have completed this configuration for each policy:

  1. Go to Settings > Misc.
  2. Click the Privacy tab. 
  3. Check Show TOS for every login.
    This option forces users to accept the TOS for every login; if users do not want to accept the condition, they can close the TOS, but they
    will not be able to log in to the user portal.
If the specified settings are set, status is OK; if not, status is Issues.
Art. 30Controller and processor - Records of processing activitiesTo maintain records of processing activities:
  1. Go to Settings > Admin.
  2. Set Audit Logging Level to Request or Full.
If Audit Logging Level is set to Request or Full, status is OK; if Audit Logging Level is set to Off, status is Issues.
Art. 32Controller and processor - Security of processing

Configure storage encryption.

  1. See Setting Up Managed Storage Encryption in the support document.   
    1. Go to Settings > Storage > MyFiles and enable encryption.
    2. Encrypt all existing files.
If storage is not fully encrypted or any existing files are not fully encrypted, status is Issues.
Art. 33Controller and processor - 

Notification of a personal data breach to the supervisory authority

To confirm that admins can use audit logs, alerts, and violation reports to generate breach notification, enable this rule. None
Art. 35Controller and processor - 

Data protection impact assessment

Enable all GDPR compliance rules, and ensure that they pass.If all GDPR compliance rules are enabled and pass, Status is OK. If any rules are not enabled or do not pass, Status is Issues.
Art. 37Controller and processor - 

Designation of the data protection officer

To designate Data Protection Officer:
  1. Go to Users and promote at least one user to an Admin role.
  2. Go to Admins and create a role with access to the Compliance Center.
  3. In Admins, add at least one Admin user to the role with access to the Compliance Center.
If one or more users have access to the Compliance Center, status is OK; if not, status is Issues.
Art. 45

Transfers of personal data to third countries or international organisations - Transfers on the basis of an adequacy decision

To allow users to log in to access FileCloud content based on location or IP address, click the Edit button and select a DLP rule that blocks users from logging in from outside locations. If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow login from outside locations, status is Issues.