Compliance Statements
By using the AllardSoft File Transfer Appliance, you will be able to send large files securely within the organisation, to customers, contractors, accountants, patients, and anyone else you need to communicate with securely.
It will also help you achieve Policy Compliance for Sarbanes-Oxley, HIPAA, PCI and other standards by encrypting sensitive data in transit, provide cryptographically strong random access keys for accessing transmitted data, and achieve non-repudiation with download receipts of who download what, from where and at what time.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the minimum standards that health care organizations must implement to protect the security, privacy and confidentiality of patient data that is transferred over the Internet. This statement deals primarily with sections 142.308(c) and 142.308(d) of this Act.
HIPAA requires that all patient data that is transmitted over the Internet must be encrypted using industry standard 128-bit encryption algorithms. The AllardSoft File Transfer Appliance uses these algorithms as well as other methods such as strong random number generators to ensure data security
| Control | Statement |
|---|---|
| Information Security | The AllardSoft File Transfer Appliance uses industry standard HTTPS protocols to ensure files are being transmitted encrypted between sender and receiver. |
| Access Controls | Each user of the AllardSoft File Transfer Appliance is virtually separated from
all other users and will only see files that are being sent by themselves. To prevent users from connecting using unsecure HTTP protocols, the File Transfer Appliance can be configured to automatically redirect any request (before any data has been sent) to HTTPS. Download links being sent are being generated using OpenSSL cryptographically strong random numbers with an entropy of 128 bits. Any file sent can only be downloaded once to ensure and the IP address of the downloaded file is captured and displayed in the download receipt. |
Sarbanes Oxley
The Sarbanes-Oxley Act of 2002 requires that public companies implement IT controls to assure the accuracy of company financial records. These controls must include IT processes that provide for the security of data, central management of user accounts and the ability to audit and report on both internal and external file transfers.
Sarbanes-Oxley does not define the specifics as to how these controls must be implemented, therefore many companies and SOX auditors have adopted the COBIT (Control Objectives for Information and Related Technology) standard for use in documenting, defining and evaluating internal controls. The AllardSoft File Transfer Appliance satisfies many of these COBIT controls and assist you in meeting your Sarbanes-Oxley requirements as seen in the table below.
| Control | Statement |
|---|---|
| DS1.5 — Monitoring and Reporting | The AllardSoft File Transfer Appliance can quickly generate a report from the sent files menu. |
| DS5.1 — Remote Management | Administrators can manage the File Transfer Appliance remotely using industry standard HTTPS encryption. |
| DS5.3 — Identity Management | The File Transfer Appliance can easily be configured to authenticate users against central user repositories such as LDAP, Active Directory and an IMAP server. |
| DS5.3 — User Account Management | The File Transfer Appliance provides a web based interface to easily manage all users in the system. |
| DS5.10 — Network Security | The File Transfer Appliance can be configured to only allow encrypted connections over industry standard HTTPS connections. |
| DS5.11 — Exchange of Sensitive Data | The File Transfer Appliance can be configured to only allow encrypted connections
over industry standard HTTPS connections. Download links being sent are being generated using OpenSSL cryptographically strong random numbers with an entropy of 128 bits. Any file sent can only be downloaded once to ensure and the IP address of the downloaded file is captured and displayed in the download receipt. |
PCI DSS
The PCI Data Security Standard (PCI DSS) is the security standard for security management, policies, procedures, network architecture, software design and other critical protective measures for the payment process industry - including merchants, payment devices and services vendors, processors and financial institutions.
| Requirement | Statement |
|---|---|
| Install and maintain a firewall configuration to protect cardholder data | The AllardSoft File Transfer Appliance uses the built-in OpenBSD pf firewall to only allow connections to functions on the File Transfer Appliance that is required. |
| Do not use vendor-supplied defaults for system passwords and other security parameters | The File Transfer Appliance does not come with any default passwords. Console Access is disabled on default. |
| Encrypt transmission of cardholder data across open, public networks | The File Transfer Appliance uses industry standard HTTPS encryption for all communications between sender and recipient. The default configuration only allows HTTPS. |
| Assign a unique ID to each person with computer access | The File Transfer Appliance can easily be configured with a central user repository such as LDAP, Active Directory or IMAP to facilitate user provisioning. |
| Track and monitor all access to network resources and cardholder data | The File Transfer Appliance logs all files that is being transmitted. Who sent them, who received them, when they where sent, when they where downloaded and from where where they downloaded. |