gdpr解读
The onslaught of data security breaches today is relentless, with thousands of major breaches each year and 50 percent more breaches in 2019 vs. 2018, according to a report by Risk Based Security. The costs for each breach have burgeoned as well, with the average cost of a data breach at about $3.92 million.
根据风险基础安全组织(Risk Based Security)的一份报告,如今数据安全漏洞的攻击是无情的,每年有数千起重大漏洞,与2019年相比,2019年的漏洞泄漏增加了50%。 每次泄露的成本也在Swift增长,数据泄露的平均成本约为392万美元。
Securing data from breaches not only spares bottom line and publicity, it's now also a basic legal requirement to comply with rapidly growing data privacy laws.
保护数据不受破坏不仅可以节省底线和宣传,而且现在它也是遵守快速增长的数据隐私法的基本法律要求。
While organizations have long had to comply with industry-specific standards, such as HIPAA in healthcare and the Payment Card Industry Data Security Standard (PCI DSS), you now also face new consumer privacy regulations. Including:
尽管组织长期以来一直必须遵守行业特定的标准,例如医疗保健行业的HIPAA和支付卡行业数据安全标准(PCI DSS),但您现在还面临着新的消费者隐私法规。 包含:
- GDPR from the European Union 欧盟的GDPR
- California Consumer Privacy Act (CCPA) 加州消费者隐私法(CCPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). 加拿大的《个人信息保护和电子文件法》(PIPEDA)。
Protecting data starts with data governance, the process of creating and enforcing rules & policies to ensure information is formally and properly managed throughout the enterprise. One often overlooked but critical element of data governance: file transfer governance.
保护数据始于数据治理,这是创建和执行规则与策略以确保信息在整个企业中得到正式和适当管理的过程。 数据治理的一个经常被忽视但至关重要的因素是:文件传输治理。
什么是文件传输治理? (What is File Transfer Governance?)
When organizations consider data governance, they typically think about data sitting in their database, data warehouse, and applications. They often overlook file transfer governance, or the governance of data in motion. But for compliance with GDPR, CCPA and PIPEDA, it's just as critical for organizations to develop a compliant process for file transfers.
当组织考虑数据治理时,他们通常会考虑存在于其数据库,数据仓库和应用程序中的数据。 他们经常忽略文件传输管理或移动数据的管理。 但是,为了符合GDPR,CCPA和PIPEDA,对于组织制定符合标准的文件传输流程也至关重要。
Here are a few critical problems many organizations encounter and solutions to help you improve your file transfer governance and prevent expensive security headaches.
这是许多组织遇到的一些关键问题和解决方案,可帮助您改善文件传输治理并避免昂贵的安全难题。
1.您的数据移动是否可追溯且可用于审核? (1. Are Your Data Movements Traceable and Audit-Ready?)
To prepare for GDPR, CCPA, PIPEDA, HIPAA, PCI DSS and more, your organization needs to be able to trace all movements of sensitive data. It's also important to monitor the success of file transfers with your external partners and customers. After all, how can you be sure you'll be paid on time if you don't know whether your partner received your invoice?
为了准备GDPR,CCPA,PIPEDA,HIPAA,PCI DSS等,您的组织需要能够跟踪敏感数据的所有移动。 监视与外部合作伙伴和客户的文件传输成功与否也很重要。 毕竟,如果您不知道您的伴侣是否收到您的发票,如何确定您将按时付款?
解决方案:通过托管文件传输实施活动日志记录 (Solution: Implement Activity Logging with Managed File Transfer)
Implement a managed file transfer (MFT) solution that provides detailed activity logging to meet auditor and other reporting requirements. Audit logs should track and report on when & where files were moved and when they were received.
实施托管文件传输(MFT)解决方案,该解决方案提供详细的活动日志记录,以满足审核员和其他报告要求。 审核日志应跟踪并报告何时何地移动文件以及何时接收文件。
2.您对数据移动是否有可见性? (2. Do You Have Visibility into Your Data Movements?)
Organizations need end-to-end visibility into the flow of data files so they can anticipate and quickly respond to file transfer delivery failures and avoid missing Service Level Agreements (SLAs). For example, line-of-business (LOB) users need visibility into data transfer workflows so they can understand how file transfers are impacting their business services and performance. IT experts need visibility to help prevent problems from occurring and to quickly diagnose problems if they occur. One of the major reasons that organizations are unable to trace data movements is because they're using too many tools. Many companies have different teams each using different tools or even ad hoc scripts to transfer files.
组织需要对数据文件流具有端到端的可见性,以便他们可以预测并快速响应文件传输传递失败,并避免丢失服务级别协议(SLA)。 例如,业务线(LOB)用户需要了解数据传输工作流,以便他们能够了解文件传输如何影响其业务服务和性能。 IT专家需要可见性以帮助防止问题发生并在问题发生时快速诊断。 组织无法跟踪数据移动的主要原因之一是因为他们使用了太多工具。 许多公司有不同的团队,每个团队使用不同的工具甚至临时脚本来传输文件。
解决方案:审核和简化重复的解决方案 (Solution: Audit & Streamline Duplicated Solutions)
To gain better visibility, audit your existing toolset, see what's duplicated, and consolidate as many tools as possible into a single managed file transfer solution. In addition to gaining enhanced visibility, you should also be able to reduce time spent managing and fixing disparate file transfer processes, as well as free up some IT budget by eliminating unnecessary duplication.
为了获得更好的可见性,请审核您现有的工具集,查看重复的工具集,并将尽可能多的工具整合到一个托管文件传输解决方案中。 除了获得更高的可见性之外,您还应该能够减少花在管理和修复完全不同的文件传输流程上的时间,并通过消除不必要的重复来释放一些IT预算。
3.您的数据在运输中是否安全? (3. Is Your Data Secure in Transit?)
Unless you transfer only files that contain no sensitive data exclusively inside your network firewall, you'll need to encrypt your files, both in motion and at rest, to prevent access by unauthorized users. But if you're using File Transfer Protocol (FTP)--the most common way to share files--you do not have built in data security. FTP transfers commands and files in plaintext, enabling unauthorized users to easily capture sensitive information.
除非仅在网络防火墙内部仅传输不包含敏感数据的文件,否则您将需要对文件进行动态和静态加密,以防止未经授权的用户访问。 但是,如果您使用文件传输协议(FTP)(最常见的共享文件方式),则没有内置的数据安全性。 FTP以纯文本格式传输命令和文件,从而使未经授权的用户可以轻松捕获敏感信息。
解决方案:制定一致的,易于理解的加密策略 (Solution: Develop a Consistent, Simply Understood Encryption Policy)
Set a corporate policy to define which file transfers must be encrypted and build uniform procedures to make sure you do so. This policy should ensure that all sensitive data subject to regulatory risk, is encrypted both at rest and in motion. It should also specify that encryption of these transfers occur both during transfers between servers inside of your internal network and outside of the firewall.
设置公司策略以定义必须对哪些文件传输进行加密,并建立统一的过程以确保执行此操作。 该政策应确保在静态和动态状态下对所有受监管风险影响的敏感数据进行加密。 还应指定在内部网络内部和防火墙外部的服务器之间的传输期间,对这些传输进行加密。
4.您的服务器和组件是否安全? (4. Are Your Servers & Components Secure?)
Companies have many different security guidelines, while MFT servers have numerous options. For example, an SFTP server might use either password authentication or public key authentication. An FTP server might use plaintext or TLS connections.
公司有许多不同的安全准则,而MFT服务器则有许多选择。 例如,SFTP服务器可能使用密码身份验证或公共密钥身份验证。 FTP服务器可能使用纯文本或TLS连接。
解决方案:将服务器配置设置,记录和审核为统一标准 (Solution: Set, Log, and Audit Server Configurations to Uniform Standards)
You'll need to decide on consistent standards that meet regulatory compliance and implement an MFT solution that conforms to these requirements. Assign security experts to configure your MFT platform correctly in accordance with your security policies. Then, log and audit these configurations and changes to them so no one tampers with sensitive data entering or leaving the enterprise, and to demonstrate compliance with regulations or policies.
您需要确定符合法规要求的一致标准,并实施符合这些要求的MFT解决方案。 指派安全专家根据您的安全策略正确配置MFT平台。 然后,记录并审核这些配置及其更改,以防止篡改进入或离开企业的敏感数据,并证明其符合法规或政策。
5.您的数据移动是否一致且高效? (5. Are Your Data Movements Consistent and Efficient?)
Manual, time consuming data management and remediation processes can have a significant negative impact on operations. Lack of automation can lead to manual errors and unable to catch fraudulent actions. IT teams spend considerable time finding data, reconciling data, or fixing data problems rather than performing their core job functions. In addition, if an organization relies on various file transfer scripts to automate various data movements, they likely do not meet regulatory compliance standards, and hand-coded scripts are more prone to breaking than MFT solutions, again, leaving you unnecessarily open to regulatory risks.
手动,费时的数据管理和修复过程可能会对操作产生重大的负面影响。 缺乏自动化会导致人为错误,无法捕获欺诈行为。 IT团队花费大量时间查找数据,协调数据或解决数据问题,而不是执行其核心工作职能。 此外,如果组织依靠各种文件传输脚本来自动执行各种数据移动,则它们可能不符合法规遵从标准,并且与MFT解决方案相比,手工编码的脚本更容易被破坏,这又使您不必要地承受监管风险。
解决方案:实施MFT自动化; 合并并替换不安全的脚本 (Solution: Implement MFT Automation; Consolidate & Replace Unsecured Scripts)
To address these issues, it is necessary to adopt data governance processes and automated tools to uncover problem data and broken processes, then resolve these issues. An automated managed file transfer tool can ensure that data movements are standardized. The solution should incorporate both powerful if/then, copy, route and other built-in capabilities, as well as API access to shape it as desired, with the total confidence to be able to easily comply with file transfer regulations.
为了解决这些问题,有必要采用数据治理流程和自动化工具来发现问题数据和损坏的流程,然后解决这些问题。 自动化的托管文件传输工具可以确保数据移动标准化。 该解决方案应兼具强大的“如果/那么”,“复制”,“路由”和其他内置功能,以及对API进行访问以根据需要进行整形的能力,完全有信心能够轻松遵守文件传输法规。
6.您在用户级别具有可追溯性吗? (6. Do You Have Traceability at the User Level?)
Knowing who in your organization is interacting with your data is a key aspect of data governance. Without traceability to the specific users adding data to your systems or moving files between databases, you are not compliant with key data governance regulations.
了解组织中的谁正在与您的数据进行交互是数据治理的关键方面。 如果无法追溯到向系统添加数据或在数据库之间移动文件的特定用户,则您将无法遵守关键的数据治理法规。
解决方案:设置角色和用户权限 (Solution: Set Up Roles and User Permissions)
Select your centralized file transfer solution with user roles in mind. A quality platform should enable you to set up different roles and permissions for different users so you can easily control who can access, edit, or send & receive data.
选择考虑用户角色的集中式文件传输解决方案。 一个高质量的平台应该使您能够为不同的用户设置不同的角色和权限,以便您可以轻松控制谁可以访问,编辑或发送和接收数据。
通过托管文件传输统一数据移动 (Unifying Data Movements with Managed File Transfer)
To fully comply with regulations, organizations ultimately need to invest in more robust file transfer tools, which is why many of them are increasingly turning to managed file transfer (MFT) solutions to enable file transfer governance and ensure broader data governance efforts are successful.
为了完全遵守法规,组织最终需要投资于更强大的文件传输工具,这就是为什么许多组织越来越转向托管文件传输(MFT)解决方案来启用文件传输治理并确保更广泛的数据治理工作成功的原因。
MFT tools consolidate disjointed file and data transfer services into a single, unified suite, providing visibility into all file transfers and making it easier to create standard and automated compliance with policies across organizations. These MFT Software tools are built to secure data at rest or in motion with the latest algorithms and provide detailed audit trails & logs to support regulatory compliance and SLAs.
MFT工具将脱节的文件和数据传输服务整合到一个统一的套件中,提供对所有文件传输的可见性,并使创建跨组织策略的标准和自动化合规性变得更加容易。 这些MFT软件工具旨在使用最新算法来保护静态或动态数据,并提供详细的审计跟踪和日志,以支持法规遵从性和SLA。
gdpr解读
9467
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
