Passing the Audit: Which Reports Demonstrate Compliance?

by Tom Scearce on February 3, 2015

Post-8---Office-MonsterCome audit time, many organizations must demonstrate that data security protocols align with regulatory standards. In an era when consumer applications in the public cloud are hijacking enterprise file sync-and-share (EFSS) processes, how can you ensure your organization will pass a compliance audit?

While requirements vary by industry, there are a few data-related standards that nearly every compliance-burdened organization should be able to demonstrate. Here, we’ll examine all of those, paying particular attention to how EFSS activities contribute to compliance.

User access to sensitive files on the network

Network activity reports should demonstrate that only certain users can access files subject to compliance standards. You should be able to show unequivocally that authorized users – and only authorized users – have such access.

But what if users are sharing sensitive data in the public cloud with applications like Dropbox and Google Drive? Since those applications don’t provide an audit trail, it may be impossible to verify who inside or outside your organization is viewing, editing, or downloading sensitive information.

To pass your audit, you should be able to generate a report that reveals:

  • effective rights to your file system(s), and
  • permissions to files in your file system(s)

Compliance is a two-way street. You should be able to select a particular file and identify all of the users who can access it. Likewise, you should be able to pick out an individual user and trace his or her rights and permissions down to the specific files to which he or she has access.

Needless to say, never store your compliance-subject files on the server where you’re unable to connect the dots between specific users and their access to sensitive data.

Data loss prevention efforts

In many industries, ensuring compliance means taking strides to prevent data loss. Audit teams need to see evidence that you’re safeguarding your data, and individual reports can demonstrate efforts to do so. Those reports should cover the following aspects of your data loss prevention strategy:

  • Data at rest: Here’s where data retention matters most. The servers where you store sensitive data should be safe from tampering and provide redundancy to mitigate hardware failure.
  • Data in use: What kinds of files do users modify? When and where do they modify them – and with what applications? Your reports should answer all of these questions.
  • Data in motion: How do users transfer data among one another or with partners and clients? If they’re using unauthorized EFSS applications to perform file transfers, you might not be able to demonstrate that a file was 100% secure at every stage of its lifecycle.

Data loss is one of the most dangerous points of failure for EFSS applications in the public cloud. Even if you manage to avoid an audit this year – and that’s not guaranteed – data loss can damage your organization in significant ways.

The takeaway: take control of your files

Regulatory compliance exists for a reason: to protect businesses and consumers from harm. If your EFSS policies and applications aren’t in compliance, you could be harming the people who keep you in business, unwittingly or not.

With a solution like Novell File Reporter, you gain a comprehensive overview of your file system. You’ll use powerful heat-map analysis to see where files reside, who can access them, and when users are modifying them. You’ll also know whether users are engaging in activities that pose a compliance risk or if certain EFSS applications are violating your organization’s data governance rules.

The reports available in File Reporter provide all the information you need to deliver a complete report to the audit team. And if you’re not up for an audit just yet, you’ll discover all of the data-related challenges that merit attention – so you are ready when the time comes.

Previous post:

Next post: