Compliance Center
The Compliance Center enables you to check which regulatory requirements your system meets and which it fails to meet. It also provides information explaining why you haven't met certain requirements, and enables you to configure compliance settings.
The Compliance Center
To open the Compliance Center, in the navigation panel, click Compliance Center.
The Overview tab
The Compliance Center opens to the Overview tab. This tab lists your enabled configurations and recent compliance events.
In the image below, the box under Enabled Configurations displays an icon for each compliance and a slider that currently indicates that it is enabled. The box for each compliance also indicates the number of total compliance rules that are being evaluated and how many of them failed the last evaluation.
Filtering Events
You can click filters above the Recent Events list to only display violation or information events, or to only display events for one compliance. In the following image, the filters are set so that only ITAR events that are informational appear.
Compliance Tabs
There are currently compliance tabs for ITAR, HIPAA, and GDPR. Each tab lists the rules for the particular regulation and whether the system is compliant with each rule or has issues.
You can enable or disable each rule, change the settings that are evaluated, and manually mark a rule as compliant in each tab.
Hover over the description under FileCloud Configuration for more details about how to configure the rule's setting. For even more information, click the row's information icon.
If Status indicates that there are issues, click the warning icon to see details of the issue.
How to set up and check compliance
For each type of compliance that you want to manage, follow these steps to enable and configure compliance checking and review your compliance status.
1) Enable compliance checking
- In the Admin portal's navigation panel, click Compliance Center.
The Compliance Center opens to the Overview tab. - Either:
Under Enabled Configurations, click the slider for a compliance.
Or:
Click the tab for a compliance, and click the slider at the top of the screen.
After checking has been enabled for a specific compliance, you can enable or disable checking for each of its rules by toggling the slider to the rule's right. Notice that compliance status is checked as soon as you enable the rule.
Some rules prompt you to enter settings when you enable them. See the next procedure.
When you enable certain rules, a dialog box opens and prompts to enter a setting before the rule is enabled. You are not required to enter the setting, but if you do not Status indicates there are issues.
2) Configure Compliance Settings
You can configure the compliance settings directly from the Compliance Center for any rules with an Edit icon under Actions. When you enable the rule, you are prompted to enter settings, but you are not required to enter them.
After you configure the setting, you can change it by clicking the edit icon in the row for the rule:
For many rules, you must navigate to other pages in FileCloud and configure settings. The compliance tool will verify that the settings are configured correctly when you enable the rule.
For instructions on how to configure the settings, click the Information icon in the row for the rule.
Some rules only need your verification that you are complying with them. Simply enable the rule to confirm that you have complied.
You have the option of bypassing FileCloud's compliance checking for most rules, so that whether or not the rule would be considered compliant by FileCloud's verification process, Status will display BYPASSED with a green check.
Note that you cannot bypass rules that only require you to enable them to to make them compliant, as there is no validation to bypass.
To bypass a rule, enable it, then click the Information icon, and check Bypass check for this rule and mark as passed.
3) Run compliance checks
FileCloud automatically checks a rule for compliance when it is enabled and rechecks compliance for all rules in once per day. If you make changes in your system or want to make sure you have the most recent check, you can manually run a compliance check.
To manually run a compliance check, in the tab for the compliance, click Refresh All.
4) Review compliance status
Review your compliance status regularly to make sure all of your rules remain compliant.
You can view a summary of the number of rules you have enabled for checking, and how many of them failed or were bypassed on the Overview tab or at the top of the compliance tab.
On a compliance tab, you can review whether each enabled rule's compliance check was OK, had issues, or was bypassed by viewing its Status.
If the Status column for a rule displays Issues and an error icon, click on the status to view information about the problem.
Getting more details on how to comply
For basic information on how to comply with a rule, hover over the description under FileCloud Configuration. For more specific instructions, click the Information icon in the row for the rule. To see the text of the rule in the regulation document, click the rule number.
HIPAA, ITAR, and GDPR compliance rules and validation
Rule (click to see text) | Description | Steps for complying | Validation |
---|---|---|---|
164.304 Definitions | Identify which files have electronically protected health information (ePHI). | In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies ePHI files. | If the metadata set exists and is enabled, status is OK; if not, status is Issues. |
164.306 Security standards: General rules | Allow at least one user access to the Compliance system. |
| If one or more Admin users have access to the Compliance Center, status is OK; if not, status is Issues. |
164.308 Administrative safeguards. (a)(1)(ii)(A & B) | Confirm that all the FileCloud Compliance HIPAA rules are successful. | Enable this rule once all the other HIPAA rules are compliant. | If all rules are implemented and status of all rules is OK then the status of this rule OK; if not, status is Issues. |
164.308 Administrative safeguards. (a)(1)(ii)(D) | Implement a procedure to regularly review system activity records. | In Settings > Admin, check Send Admin Governance Report Emails. | If the Send Admin Governance Report Emails setting is enabled, status is OK; if not, status is Issues. |
164.308 Administrative safeguards.(a)(3)(ii)(A) | Allow users to login to access FileCloud content based on location or IP address. | Click the Edit button and select a DLP rule that blocks users from logging in from outside locations. | If the DLP rule exists and is enabled and GeoIP is not disabled, status is OK; otherwise, status is Issues. |
164.308 Administrative safeguards.(a)(5)(ii)(B) | Configure Anti-Virus protection against malicious file uploads. |
| If an Anti-Virus is configured, status is OK; if not, status is Issues. |
164.308 Administrative safeguards.(a)(5)(ii)(C) | Monitor log-in attempts. |
| If Audit Logging Level is REQUEST or FULL status is OK; if Audit Logging Level is OFF, status is Issues. |
164.308 Administrative safeguards.(a)(5)(ii)(D) | Set up password management procedures. |
| If the password settings are configured as indicated, status is OK; if not, status is Issues. |
164.308 Administrative safeguards.(a)(6)(ii) | Confirm all (HIPAA) violations can be exported from the Compliance Center. | Enable this rule as confirmation that all FileCloud Compliance HIPAA violations can be exported. | None |
164.308 Administrative safeguards.(a)(7)(i) | Implement a contingency plan in case systems containing ePHI are damaged. | Enable this rule as confirmation that you have done the following:
| None |
164.308 Administrative safeguards.(a)(7)(ii)(B) | Establish procedures to restore loss of data. | Enable this rule as confirmation that admins understand the procedures to restore data given at Backing Up and Restoring FileCloud Server. | None |
164.308 Administrative safeguards.(a)(7)(ii)(C) | Establish an emergency mode operation plan. | Enable this rule as confirmation that admins understand that they can configure a firewall proxy rule to prevent access to FileCloud to protect ePHI. | None |
164.312 Technical safeguards.(a)(1) | Implement policies and procedures to only allow access to ePHI to people and programs with access rights. | To prevent data from being shared with unauthorized users:
| If Share Mode is Allow All Shares or any public shares exist, status is Issues. |
164.312 Technical safeguards.(a)(2)(i) | Assign a unique name and/or number to each user. | Enable this rule as a confirmation that all users have unique usernames. | None |
164.312 Technical safeguards.(a)(2)(iii) | Terminate sessions after a certain amount of time automatically. | To confirm automatic logoff of sessions:
| If Session Timeout is set to 0 or empty, status is Issues. |
164.312 Technical safeguards.(a)(2)(iv) | Implement encryption and decryption of ePHI. | To set up ePHI encryption:
| If storage is not fully encrypted, or any existing files are not fully encrypted, status is Issues. |
164.312 Technical safeguards.(b) | Set up audit controls. | To implement audit controls:
| If any of the audit settings is not set as specified, status is Issues. |
164.312 Technical safeguards.(c)(1) | Protect ePHI files from destruction. | To protect ePHI files and folders from deletion:
| If the retention policy exists and is enabled, status is OK; if not, or if modifications to the retention policy allow file or folder deletion, status is Issues. |
164.312 Technical safeguards.(d) | Verify user identity of people seeking access to ePHI. | To confirm that all users have individual FileCloud user accounts, enable this rule. | None |
164.312 Technical safeguards.(e)(1) | Guard against unauthorized access of ePHI that is being transmitted. | To guard against unauthorized access to ePHI:
| If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues. |
164.312 Technical safeguards.(e)(2)(i) | Ensure that transmitted ePHI is not modified. | To confirm that users are educated about sharing permissions and folder level permissions, enable this rule. | None |
164.316 Policies and procedures and documentation requirements.(b)(2)(i) | Retain files for 6 years. | To retain files for 6 years:
| If the retention policy exists and is enabled, status is OK; if not, status is Issues. |
164.316 Policies and procedures and documentation requirements.(b)(2)(ii) | Make documentation available and accessible. | To confirm that Admins and users have access to support documentation for all features, enable this rule. | None |
164.316 Policies and procedures and documentation requirements.(b)(2)(iii) | Maintain updated documentation. | To ensure the system is at the latest version, go to Upgrade screen in Admin and ensure there are no upgrades available | If the system is not upgraded to the latest available version, then status is Issues. |
164.404 Notification to individuals. (b) | Create timely notifications in case of breaches. | To confirm that admins can use Audit logs, Alerts and Violation reports to generate breach notifications, enable this rule. | None |
164.502 Uses and disclosures of protected health information: General rules.(a)(1) | Allow users to use and disclose ePHI according to regulations. | To prevent data from being shared with non-associates without proper permission:
| If Share Mode is Allow All Shares or any public shares exist, status is Issues. |
164.504 Uses and disclosures: Organizational requirements.(e)(1) | Business associates must comply with standards. | To confirm that users who have access to ePHI are educated about sharing permissions, enable this rule. | None |
164.504 Uses and disclosures: Organizational requirements.(e)(2)(ii)(J) | At the termination of a contract, all info shared with business associate should be destroyed or returned. | To confirm return or destruction of ePHI at the termination of contracts:
| If all the settings are as specified, status is OK; if not, status is Issues. |
164.508 Uses and disclosures for which an authorization is required.(a) | Uses of ePHI requiring authorization. | To implement authorization for use and disclosures of ePHI:
| If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow public shares, status is Issues. |
164.522 Rights to request privacy protection for protected health information. (a)(1) | Right of individual to request restriction of disclosure of their ePHI. | To implement the right of an individual to request restriction of uses and disclosures of ePHI:
| If Disable Locking is unchecked, status is OK; if not, status is Issues. |
164.528 Accounting of disclosures of protected health information. | Right of an individual to receive records of disclosures of PHI. | To confirm that admins understand how to use audit logs and reports to generate an account of disclosures of protected health information, enable this rule. | None |
Rule (click to see text) | Description | Steps for complying | Validation |
---|---|---|---|
120.6 | Identify which documents are defense articles. | In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies defense articles. | If the metadata set exists and is enabled, status is OK; if not, status is Issues. |
120.10 | Identify which files contain technical data. | In the Compliance Center, click the Edit button for the rule, and select a metadata set with a tag that identifies technical data. (To carry out compliance, you must use smart classification to apply the metadata tag to technical data.) | If the metadata set exists and is enabled, status is OK; If not, status is Issues. |
120.13 | Only allow access to the system from within the US. | In the Compliance Center, click the Edit button for the rule, and select a DLP rule that blocks users from logging in from outside locations. Only DLP rules for the LOGIN action are available for selection. | If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow log in from outside the US, status is Issues. |
120.15 | Only allow US residents to access the system. | Enabling the rule to confirm that your system checks if all users are US residents is all that is necessary to pass the compliance check. | None |
120.17 | Do not permit public sharing. |
| If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues. |
120.25 | Allow at least one user access to the Compliance system. |
| If one or more Admin users have access to the Compliance Center, status is OK; if not, status is Issues. |
120.50 | Prevent unauthorized access to data by non-US residents. | Install FileCloud with an enterprise license or a license that includes a Digital Rights Management (DRM) component. | If a proper license is installed, status is OK; if not, status is Issues. |
120.54(2)(3) | Prevent data from being shared with non-US entities. | Remove any existing public shares or change them to private. | If any public shares exist, status is Issues. |
120.54(5) | Confirm that data is only transferred between US entities. |
| If HTTPS is not used, storage is not fully encrypted, or any existing files are not fully encrypted, status is Issues. |
120.55 | Keep decryption methods secure. | Enabling the rule to confirm that decryption keys are kept confidential in your system is all that is necessary to pass the compliance check. | None. |
123.1 | Ensure that proper permission is given if data is shared with non-US entities |
| If Set Share Mode is Allow All Shares or any public shares exist, status is Issues. |
123.26 | Maintain records of all data shared with non-US entities | In the Admin portal, go to Settings > Admin and set the Audit Logging Level to FULL. | If Audit Logging Level is set to OFF or REQUEST, status is Issues. |
126.1 | Deny access to the system by prohibited countries | In the row for the rule in the Compliance Center, click the Edit button and select a DLP rule that blocks users from logging in from those countries. Only DLP rules for the LOGIN action are available for selection. | If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow log in from those countries, status is Issues. |
127.1 | Confirm that reports of violations of compliance rules can be exported. | Enabling the rule to confirm that there is functionality to export reports of compliance rule violations from this page is all that is necessary to pass the compliance check. | None |
Rule (click to see text) | Description | Steps for complying | Validation |
---|---|---|---|
Art 5 | Principles for processing personal data. | To set up data protection, customize Terms of Service:
| If the default TOS is not modified then status is Issues. |
Art. 6 & 7 | Lawfulness of processing | To confirm lawfulness of processing and conditions for consent:
| If the settings are set as specified, status is OK; if not, status is Issues. |
Art. 12 | Rights of data subject - transparent information | To maintain transparent information and communication:
| If Disable Action Panel is unchecked, status is OK; if not, status is Issues. |
Art. 13 | Rights of data subject - information about collecting of personal data | To confirm that Terms of Service indicate where personal data are collected about the data subject, enable this rule. | None |
Art. 17 | Rights of data subject - right to be forgotten | To set up the right to be forgotten:
Also see Anonymizing User Data. | If the settings are configured as specified, status is OK; if not, status is Issues. |
Art. 20 | Rights of data subject - right to data portability | To confirm the right to data portability, ensure the following options work in the Admin portal, and then enable this rule.
| None. |
Art. 21 | Rights of data subject - right to object | To confirm users have right to object:
After you have completed this configuration for each policy:
| If the specified settings are set, status is OK; if not, status is Issues. |
Art. 30 | Controller and processor - Records of processing activities | To maintain records of processing activities:
| If Audit Logging Level is set to Request or Full, status is OK; if Audit Logging Level is set to Off, status is Issues. |
Art. 32 | Controller and processor - Security of processing | Configure storage encryption.
| If storage is not fully encrypted or any existing files are not fully encrypted, status is Issues. |
Art. 33 | Controller and processor - Notification of a personal data breach to the supervisory authority | To confirm that admins can use audit logs, alerts, and violation reports to generate breach notification, enable this rule. | None |
Art. 35 | Controller and processor - Data protection impact assessment | Enable all GDPR compliance rules, and ensure that they pass. | If all GDPR compliance rules are enabled and pass, Status is OK. If any rules are not enabled or do not pass, Status is Issues. |
Art. 37 | Controller and processor - Designation of the data protection officer | To designate Data Protection Officer:
| If one or more users have access to the Compliance Center, status is OK; if not, status is Issues. |
Art. 45 | Transfers of personal data to third countries or international organisations - Transfers on the basis of an adequacy decision | To allow users to log in to access FileCloud content based on location or IP address, click the Edit button and select a DLP rule that blocks users from logging in from outside locations. | If the DLP rule exists and is enabled, status is OK; if not, or if modifications to the rule allow login from outside locations, status is Issues. |