Reduce File Transfer Risk with Validated ComplianceS(tchf4k45nbwilq45usxclk45... · 2016. 7. 8. ·...
Transcript of Reduce File Transfer Risk with Validated ComplianceS(tchf4k45nbwilq45usxclk45... · 2016. 7. 8. ·...
A COALFIRE PERSPECTIVE
Reduce File Transfer Risk with Validated ComplianceA Framework to assess secure cloud providers
Gerald A. Drake III, QSA, MSIA
April 2014
2 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Summary
This paper will help organizations determine how cloud file transfer services can support their information
security programs and data security controls. Most organizations understand there are benefits derived from
cloud-based file transfer solutions, but the benefits don’t outweigh concerns about the solution providers’
ability to deliver and manage a secure and compliant solution. The approach some secure cloud providers take
actually introduces risk: withholding information, implementing insecure configurations, and/or charging exorbitant
fees to attain the secure and compliant solution. This document offers a framework to identify providers who
provide a secure compliance validated file transfer cloud solution and reduce an organization's overall risk for
compliance.
Introduction
Compliant and secure cloud computing is available but choosing the right partner is critical to managing risk.
Legitimate concerns exist surrounding data security within the cloud-computing realm. Recent security
breaches have shaken industry confidence and have led to regulatory compliance initiatives aimed at improving
information security. Partner entities with use or access to protected information, like cloud file transfer service
providers, are accountable to the same requirements.
How will your organization determine the appropriate service provider? Organizations should select a cloud file
transfer service provider that shoulders as much of the compliance and security burden as possible. Compliance
with the numerous data security regulations and legislations is complex and your cloud service provider can
work with you to address these concerns and proactively enforce heighted data security.
The cloud-computing model is effective and secure when it is implemented properly. The cloud offers a proven
cost reduction, fast time-to-value, and business continuity for hosted data and middleware services. But none of
this matters if the cloud solution can’t address data security and compliance. You need a cloud service provider
that is trustworthy and capable of taming the compliance beast.
This paper outlines the main concerns organizations have about entrusting critical business operations to the
cloud. Then it draws a picture of the ideal cloud service offering, detailing how it removes those concerns so you
can invest confidently to get the benefits the cloud offers.
Concerns about cloud security and compliance
3 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
There are many reasons to consider cloud services, but concerns about data security and perceived lack of
regulatory compliance have prevented many organizations from moving to the cloud. Customer data, which can
include credit card information, protected health information, and financial information, can be at risk to
malicious attackers trying to infiltrate the hosting environments. Many organizations have reservations about
hosting their data in the cloud because of a lack of control of their data.
While some cloud providers offer secure and compliant services, detailed description of assurances, services and
costs may not be clear. For example, an organization may purchase a service from a provider they think is
secure and compliant, only to find that add-on services at significant additional cost are required to adequately
meet their security and compliance needs.
Organizations need a security-hardened cloud solution operated by a provider with a robust information
security program in place. There are a number of areas of risk that a cost-effective security-centered solution
needs to address:
Configuration standards are a vital component in the overall security of the supporting infrastructure
Security hardened infrastructure
Clearly defined agreement for services covered under the security umbrella
Robust security programs
Documented pricing for all applicable services
A mismanaged security program or inadequate agreement can prove catastrophic, leading to an increased risk
exposure and possibility of a security breach not to mention unexpected costs.
Moving Towards Compliance
Cloud providers are required to provide their customers with a ‘reasonable’ assurance of data security.
However, is there a way to validate assurance to auditors? Yes, validated assurance is required to effectively
manage risk! Recent movements in the arenas of compliance and security have forced third party organizations
towards compliance and the provision of assurance. With implementation of the final healthcare Omnibus Rule,
business associates are on the compliance hook. Organizations are now required to be in compliance with
HIPAA and the HITECH Act regulations. There is an initiative by the Office of Civil Rights (OCR) to perform
independent security audits of service providers’ information security programs. The Omnibus Rule establishes
a structure for penalties and fees for security breaches, and lays the foundation for enforcing compliance on all
applicable organizations including covered entities, business associates and sub-contractors. It’s vital that
4 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
organizations make an informed decision to choose a trustworthy cloud provider to support their compliance
goals for two reasons: 1) predictable and manageable costs, and 2) effective process for compliance audits.
Any cloud provider involved with financial transactions between banks, credit unions, and financial institutions
or provides services that aid in those transactions, is required to comply with FFIEC regulations. Additionally
there are specific guidelines for safeguarding customer data included in the Gramm-Leach-Bliley Act of 1999
(GLBA). These guidelines require service providers to implement appropriate security controls to ensure secure
handling of customer data. GLBA and FFIEC mandated regulations enforce data security through established
guidelines based on best practices including the National Institute of Standards and Technology (NIST), The
Information Systems Audit and Control Association (ISACA), Control Objectives for Information Technology
(COBIT), and International Organization for Standardization (ISO). It is the responsibility of the organization to
partner with a cloud provider who support these guidelines and implement appropriate security controls to
comply with the secure handling of customer data.
Dismissing Cloud Concerns
Some cloud providers offer cloud-based solutions that are both secure and compliant. Finding them can prove
difficult, but consider looking for cloud based solutions hosted at physically secure data center locations, which
have been assessed and validated against specific regulations like HIPAA, PCI, FFIEC, and Service Organization
Control’s (SOC) Report Type 1, 2, and 3. Each of these regulations defines required physical security controls like
24/7 video cameras at each ingress/egress location, badge controlled access and policies that limit access to
approved personnel or visitors with advance notice and approval. It’s also important to consider disaster
recovery services, which are many times not included or is available only at an additional cost.
Concerns over data security in a private or public cloud can be overcome by a partnering with a provider that
offers a validated solution compliant with established security regulations. Secure connections using encrypted
transmission, defined ports and protocols, as well as strict access controls and firewall rules, provide data
integrity. Consider asking the cloud provider for third party security assessments, compliance letters, or request
a meeting with the provider to discuss data security concerns. Cloud providers with validated solutions will
welcome these requests, but it’s your responsibility to obtain the necessary data security and compliance
assurances before you make a commitment.
5 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Organizations should understand whether the cloud provider’s infrastructure is designed to virtually partition
data and configuration, so that each customer organization works in their own virtual environment. An effective
partitioning implementation includes perimeter firewalls and firewall rules that restrict inbound and outbound
traffic to defined ports, protocols, and services. The cloud provider needs to deploy these firewall rules to deny
all but explicitly authorized traffic. A deny-all rule should be the default to restrict unauthorized traffic. The
cloud provider must also limit to only customer defined and business justified traffic, ports, and protocols. A
knowledgeable cloud provider can provide aid and guidance to customers in the types of traffic that is permitted
through secure ports and protocols. There are other ways to enforce partitioning, including router access
control lists and virtual local area networks (VLANs) with strong ACLs.
The MOVEit Cloud Difference
What is MOVEit Cloud?
Ipswitch MOVEit Cloud is a security-hardened managed file transfer cloud service through which applications
and end-users can safely exchange files using standard secure file transfer protocols. MOVEit Cloud uses
MOVEit Managed File Transfer software infrastructure, which thousands of customers worldwide trust and
adopt to secure their data transfers. MOVEit Cloud can help reduce overall cost and scope related to physical
infrastructure, maintenance, support and perhaps most importantly compliance. Everything on the cloud data
plain is the responsibility of Ipswitch, including network devices, firewalls and software infrastructure.
MOVEit Cloud is validated through an independent, third-party assessor firm as PCI DSS, HIPAA, and FFIEC
compliant. MOVEit Cloud delivers market leading file transfer security and compliance (See related details in
Appendix D):
Strong logical access controls, including between organizations, divisions, departments and user roles. It
is impossible for any organization to see and access another organizations data.
End-to-end encrypted transfer in compliance with PCI DSS, HIPAA, and FFIEC requirements:
o Validated encryption of data in transit with support for SSLv3 through TLS 1.2 or SSH2 encrypted
methods (AS1, AS2, AS3, FTPS, HTTPS, SCP2, SFTP, or TLS).
o FIPS validated encryption for data at rest without using PGP.
Perimeter firewalls protect the MOVEit Cloud environment, with firewall rule sets in place to restrict
inbound and outbound traffic to specific ports, protocols, and services. In addition, each application,
6 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
database, and web server has host-based firewalls.
The cloud based infrastructure supports secure configuration and resides in appropriately hardened
data centers according to industry guidelines and best practices, based on Center for Internet Security
(CIS) benchmarks.
Business continuity through support for disaster recovery in compliance with HIPAA and FFIEC
requirements. Data replication occurs between the primary and secondary data center locations in real
time with proven 99% uptime.
Antivirus support in compliance with PCI DSS, HIPAA, and FFIEC requirements.
Conclusion
Organizations need to understand how to best evaluate cloud file transfer service providers. Security issues
raise troubling concerns about security of data in the cloud, yet there are clear business and cost benefits for
implementing cloud-based solutions. Evaluating prospective service providers against criteria outlined in this
document can significantly narrow the field and increase confidence when making a commitment for a trusted
partnership with a cloud provider.
MOVEit Cloud is a proven cloud-based managed file transfer solution with third party validated security and
compliance. MOVEit Cloud offers customers the affordability of a cloud hosted solution and the security of a
managed file transfer solution. That unique combination positions MOVEit Cloud as a file transfer security and
compliance leader. Ipswitch understands how to overcome the obstacles necessary for compliance and is
committed to maintaining compliance with the security-related standards important to their customers
including PCI DSS, HIPAA, and FFIEC.
7 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix A – MOVEit Cloud Security and Compliance Features
This appendix provides additional detail about security and compliance features delivered in MOVEit Cloud.
These features and benefits reveal significant differences from other file transfer solution providers.
Infrastructure is secure and hardened
MOVEit Cloud has implemented effective logical segmentation within their cloud environment to protect
customer data and the environment from external threats. Deployed perimeter firewalls protect the MOVEit
Cloud environment, with firewall rule sets in place to restrict inbound and outbound traffic to specific ports,
protocols, and services defined by the MOVEit Cloud team. Any traffic not explicitly authorized is denied
through firewall rules. Additionally, each application, database, and web server has host-based firewalls in place
providing further segmentation and restriction on inbound and outbound traffic. Each firewall rule, perimeter
or host-based, is documented and justified for use within the environment. The combined use of the perimeter
firewall and host based firewall rules enforce logical segmentation between external networks, MOVEit
customers, Ipswitch personnel, and the MOVEit Cloud environment.
The cloud based infrastructure supports secure configuration and is appropriately hardened according to
industry guidelines and best practices, based on Center for Internet Security (CIS) benchmarks. These CIS
benchmarks are prevalent on each piece of infrastructure managed by the MOVEit Cloud team. Implementing
configuration standards and enforcing hardening guidelines are specified requirements for PCI DSS and FFIEC
compliance. By adhering to these guidelines and strictly enforcing these hardening standards, MOVEit Cloud
takes extensive measures to ensure the supporting infrastructure is configured and hardened. The adoption of
multiple security checks and configurations provides assurances that each piece of infrastructure has the
appropriate configuration and secure hardening applied in a repeatable fashion. Updates or vulnerabilities
uncovered in these configurations and hardening guidelines results in the MOVEit Cloud team providing
immediate updates and support to enact the necessary changes on the infrastructure. This will ensure each
component involved in the support of the solution is secure and hardened appropriately. Through the
configuration management of the MOVEit Cloud infrastructure, organizations can rely on the MOVEit Cloud
solution for limiting their risk exposure. Every organization considering using a cloud provider and solution
should request the necessary burden of proof that the solution, and its supporting infrastructure, is robust in its
security and compliance application.
8 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Data is encrypted end-to-end
A key component and compliance feature to MOVEit Cloud is its FIPS validated encryption solution. Encryption
of data, both in transit and at rest, are compliance requirements for PCI DSS, HIPAA, and FFIEC. The MOVEit
Cloud solution has been assessed and validated against data encryption requirements for 42 distinct PCI DSS
controls, 2 HIPAA implementation specifications, and 2 FFIEC controls. Due to sensitive customer data
transmitted across open, public networks, it is critical for data protection throughout the entire managed file
transfer lifecycle. The encryption solution employed is unique in that even the MOVEit Cloud personnel do not
have any insight into the specific data contained within the uploaded/downloaded data file. This achieves
heightened levels of security to the customer, ensuring there is an ability to access their data without their
approved consent through logical access controls and permissions. The MOVEit Cloud compliance validation
included assessments against specific data encryption controls including:
Encrypted storage of data
Protection of encryption and decryption keys
Separate storage locations for data encrypting and key encrypting keys
Generation of strong cryptographic keys
Distribution of keys securely
Cryptographic key rotation based on cryptoperiods
Replacement of cryptographic keys when the integrity of the key has been weakened or compromised
Unauthorized substitution of cryptographic keys
Use of strong cryptography over open, public networks
Data encryption at rest is a key MOVEit differentiator, as this control eludes cloud providers in the quest to
achieve PCI, HIPAA, and FFIEC compliance. Additionally, at no point during the transmission, storage, or
download of customer data is it unencrypted within the MOVEit Cloud environment, nor does the MOVEit Cloud
team ever have access. Through the provisioning of end-to-end encryption, the customer can rest at ease
knowing their data will remain secure and confidential throughout the entirety of the managed file transfer
lifecycle and at rest within MOVEit Cloud.
9 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Robust access control
Another distinguishing compliance feature of MOVEit Cloud is its logical access controls. MOVEit Cloud has
strong logical access controls in place, with each organization assigned a unique organization member value
within MOVEit Cloud. Specific access control requirements include the following:
User account provisioning, modification, and removal
Use of unique user ID
Access control procedures limited to minimum necessary requirements
User authentication mechanisms
Restriction of default, shared, and/or group accounts
Documented approval for all access requests
Strong passwords with minimum length and complexity enforced
Password aging and expiration
Session timeout and automatic logoff
After purchase by the customer, the MOVEit Cloud department configures the first organization administrator
within the solution. After the establishment of the member group and first administrator, the organization can
then manage their own users and assign necessary access. MOVEit Cloud employs strong logical access controls,
with user permissions defined access based on job role, referred to as role based access control (RBAC). It is
impossible for any organization to see and access another organizations data, with the implementation of logical
access controls to enforce data confidentiality and minimum necessary requirements. These strong access
controls based on RBAC are specific compliance requirement for PCI DSS, HIPAA, and FFIEC. Additionally, each
organization’s credentials are stored in an encrypted format on the security-infused infrastructure of MOVEit
Cloud.
Ipswitch security program and policies
The Ipswitch MOVEit Cloud information security program is robust. This security program is comprehensive and
managed by knowledgeable staff trained in information security. As part of the team’s responsibilities, there is
regular training conducted on complex security directives aimed at improving the information security posture
of the cloud provider, as well as enhancing the security of the MOVEit Cloud solution. The knowledge on display
by the MOVEit staff goes beyond just a compliant solution. Staff are knowledge in multiple facets of security
and stay abreast of evolving security issues, ultimately driving information security to the forefront of their
10 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
solution and enacting internal security focused changes company-wide. The MOVEit Cloud staff deployed and
continually manage the centralized log correlation engine on a 24/7 basis. Continual monitoring allows MOVEit
staff to be innately involved in the log management of MOVEit Cloud and quickly identify potential attack
scenarios whereby customer data may fall victim to a security breach. The MOVEit Cloud staff are proficient in
ensuring data security for their customers’ data throughout the entire managed file transfer lifecycle.
Managing risk and limiting the threat exposure of customer data is a major priority. Ipswitch MOVEit Cloud has
a mature vulnerability management program in place. The MOVEit Cloud team performs weekly security triage
that examines and ranks possible vulnerabilities discovered during their internal and external vulnerability
scanning process. The team uses industry sources of known vulnerabilities such as the National Vulnerability
Database, customer-reported issues, monthly results from static and dynamic code analysis, quarterly internal
and external vulnerability scans, and annual penetration testing. Critical vulnerabilities uncovered are resolved
within 30 days from the discovery. Confirmed vulnerabilities rated as “high” and “critical” are resolved no later
than the next general release of MOVEit application software. This approach protects customer data because it
represents a risk-based program to secure the entire system infrastructure and application code against the
highest priority threats.
11 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix B - MOVEit Cloud Benefits: Reduced Cost and Scope for Compliance
Ipswitch understands compliance requirements and shares responsibility for integration with your environment.
Organizations needing secure and compliant managed file transfer service benefit by scope reduction by using
MOVEit Cloud. The data diagram below shows a high-level representation of the environment relative to the
PCI, HIPAA, and FFIEC logical configuration. Organizations can access MOVEit Cloud via web browser, mobile
application, or file transfer clients. The customer is responsible for the management of all systems, devices, and
components within their environment. When using MOVEit Cloud, everything on the cloud data plane are the
responsibility of Ipswitch including network devices used to route traffic inbound and outbound, firewalls in
place limiting inbound and outbound traffic, servers residing in the DMZ, as well as the system components that
live within the internal segment of the MOVEit Cloud environment and all of the supporting infrastructure and
backend systems, including those used to store the customer specific data files. The demarcation point for the
customer organizations is the secure clients and Cisco ASA perimeter firewall managed by Ipswitch.
Ipswitch MOVEit Cloud Data Diagram
12 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
There are additional security controls in place too. MOVEit Cloud is primarily a Windows based environment,
with antivirus configured and deployed. The implementation and deployment of antivirus satisfies the
compliance requirements of HIPAA, PCI DSS, and FFIEC. MOVEit Cloud updates deployed antivirus definitions in
real-time, with weekly antivirus scans. Ipswitch personnel manage the antivirus and maintenance actions
necessary through their change management process.
An additional benefit of MOVEit Cloud is the secure software development and coding methodology. The
integration and API calls used within MOVEit Cloud have all been rigorously tested and reviewed. MOVEit Cloud
employs an Agile methodology for software development. All members of the Ipswitch development team train
extensively in secure coding techniques, including the OWASP Top 10, to ensure that the product is free from
coding vulnerabilities. Testing of the product occurs every code release, update, and iteration using dynamic
and static code analysis, as well as multiple manual code reviews. Some examples of application vulnerabilities
published by OWASP in their Top 10 list and are tested against include: injection flaws, buffer overflow, insecure
cryptographic storage, insecure communications, improper error handling, cross-site scripting, and cross-site
request forgery. On an annual basis, application penetration testing is performed by a third party assessor firm
to validate the software is free of exploitable vulnerabilities.
Organizations using MOVEit Cloud see a reduction in cost in three areas: physical infrastructure, maintenance,
and support. The entire infrastructure is hosted within secure and compliant data centers. Data replication
occurs between the primary and secondary data center locations in real time. The multilayer replication and
disaster recovery for MOVEit Cloud enable a proven 99% uptime. Customers do not have to deploy, manage,
and update the infrastructure that would be necessary in an onsite deployment. When using MOVEit Cloud,
customers don’t need to invest in physical IT infrastructure, deploying and managing it or, disaster recovery and
business continuity.
13 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix C - Deploying MOVEit Cloud
This appendix describes deployment options and benefits of a cloud based deployment. The secure
configuration and hardening guidelines used by MOVEit Cloud can alleviate concerns over an insecure cloud
deployment. The diagram depicted below is the typical deployment for MOVEit Cloud with the optional MOVEit
Central component. The customer infrastructure is shown on the right of the diagram and their partners’,
customers’ or vendors’ infrastructure is show on the left. The customer can access MOVEit Cloud through a web
browser, MOVEit Cloud client, or mobile device. Once the customer has established a connection with MOVEit
Cloud, the entire file transfer service including management, configuration, and compliance is no longer their
concern. The MOVEit Cloud service and the supporting backend infrastructure are the responsibility of Ipswitch,
who is a validated PCI DSS, HIPAA, and FFIEC compliant cloud provider. The customer is responsible for the
management of their environment only.
A key benefit of MOVEit Cloud, is the disaster recovery and business continuity, which is an FFIEC and HIPAA
compliance requirement. MOVEit Cloud has automated replication between the primary and DR facilities to
ensure quick and efficient recovery of data in the event of an emergency or disaster. In a traditional physical
infrastructure deployment, customers must purchase, deploy and administer backup and recovery infrastructure
necessary for storing, transmitting, and or processing their data. Use of MOVEit Cloud drastically reduces these
costs
14 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix D-PCI DSS Objectives
This appendix displays the PCI DSS objectives that Ipswitch MOVEit Cloud was assessed against. In total, there
are approximately 288 separate controls necessary for compliance validation.
Build and Maintain Secure Networks
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder and sensitive information across public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and Maintain Secure Systems and Applications.
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
15 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix E-HIPAA Objectives
The following appendix shows the various safeguards, standards, and implementation specifications that
Ipswitch MOVEit Cloud was assessed against.
Administrative Safeguards (see § 164.308)
Standard Reference Implementation Specifications (R)= Required, (A)=Addressable
Security Management Process 164.308(a)(1)(i) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3)(i) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(a)(4)(i) Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5)(i) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6)(i) Response and Reporting (R)
Contingency Plan 164.308(a)(7)(i) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)
Business Associate Contracts and Other Arrangement
164.308(b)(1) Written Contract or Other Arrangement (R)
Physical Safeguards (see § 164.310)
Technical Safeguards (see § 164.312)
Standard Reference Implementation Specifications
(R)= Required, (A)=Addressable Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls 164.312(b) (R)
Standard Reference Implementation Specifications (R)= Required, (A)=Addressable
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) (R)
Workstation Security 164.310(c) (R)
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
16 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected (A) Health Information
Person or Entity Authentication 164.312(d) (R)
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
Organizational Requirements (see § 164.314)
Standard Reference Implementation Specifications
(R)= Required, (A)=Addressable Business Associate Contracts or Other Arrangements
164.314(a)(1)(i) Business Associate Contracts (R)
Other Arrangements (R)
Requirements for Group Health Plans
164.314(b)(1) Plan Documents (R)
Policies and Procedures and Documentation Requirements (see § 164.316)
Standard Reference Implementation Specifications (R)= Required, (A)=Addressable
Policies and Procedures 164.316(a) Policies and Procedures (R)
Documentation 164.316(b)(1)(i) Time Limit (R)
Availability (R)
Updates (R)
HITECH Act - Security Provisions
Area Reference Requirement
Notification in the Case of Breach 13402(a) In General
13402(b) Notification of Covered Entity by Business Associate
Timeliness of Notification 13402(d)(1) In General
Content of Notification 13402(f)(1) [Description of Breach]
[Description of EPHI Involved]
[Actions by Individuals]
[Actions by Covered Entity]
[Contact Procedures]
17 Dallas | Denver | Los Angeles | New York | San Francisco | Seattle | Washington, D.C.
877.224.8077 |www.coalfire.com
Appendix F-FFIEC Objectives
The following appendix shows the FFIEC objectives that Ipswitch MOVEit Cloud was assessed against. Each
control objective below consists of more than 100 control activities that served as the criteria for determining
compliance.
1.0 IT PLANNING AND OVERSIGHT
1.1 IT Planning
1.2 IT Organization
1.3 Management Direction
1.4 Human Resource Management
1.5 Risk Assessment
1.6 Incident Response Management
1.7 Vendor Management
1.8 Compliance
2.0 SYSTEM DEVELOPMENT, MAINTENANCE, AND CHANGE CONTROLS
2.1 Acquire & Maintain Systems
2.2 Manage System Changes
2.3 Test and Approve Changes
3.0 IT OPERATIONS
3.1 Manage IT Operations
3.2 Manage Data
4.0 PHYSICAL AND ENVIRONMENTAL PROTECTION
4.1 IT Physical Security
4.2 IT Environmental Protection
5.0 SYSTEM SECURITY
5.1 Ensure Systems Security
5.2 Authentication
5.3 Authorization
5.4 Accounting
6.0 Network Security
6.1 Network Security
6.2 Malicious Code/ Content Management
6.3 Network Monitoring
6.4 Network Remote Access
6.5 Network Access
7.0 BUSINESS CONTINUITY
7.1 Ensuring Continuous Service
7.2 Business Continuity Testing