ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > How to Implement MFT for Data Protection

How to Implement MFT for Data Protection

Dave Brunswick
| Published: 9/4/2018 3:18 PM | Category: Government-Regulatory | Permalink | Email this Post | Comments (2)

Dave BrunswickThe EU General Data Protection Regulation (GDPR) outlines measures required to protect personal data and how an enterprise moves, uses and stores that data. My recent ISACA Journal article, “Protection From GDPR Penalties With an MFT Strategy,” discusses why a robust managed file transfer (MFT) and integration platform is useful for organizations looking to comply with GDPR and other data protection measures.

Here are some key steps for implementing an MFT solution to meet increasingly stringent data demands:

  1. Assess your ecosystem—It is difficult for any organization to understand all the systems and applications deployed across departments and geo-distributed locations. But it is important to understand them and the life cycle of business data to ensure GDPR compliance. A comprehensive enterprisewide assessment of every on-premise and cloud system, database, application, and storage repository is critical in determining how MFT can streamline data processing.
  2. Evaluate your best deployment architecture—Understanding the data flows and systems that will be exchanging data, along with your other architectural components, will help define the best deployment architecture for your MFT solution. Depending on the nature of your data exchanges, an on-premise, cloud or hybrid solution may enable the best control. Also, the ability to integrate with central authentication and auditing systems may be important, as might the ability to deploy as part of a broader development operations (DevOps)-driven environment.
  3. Select the software—There are numerous MFT vendors out there. Smart organizations, however, know exactly what questions to ask an MFT vendor before selecting a solution that may not even fit the business needs.
  4. Design the service—The project manager often will liaise with the vendor for the bulk of this work, but that person also must seek input from other personnel (i.e., enterprise architect, security and compliance managers, application analyst) to ensure that all the required business functionality, IT administration and security boxes are checked.
  5. Test, test, test—After you have captured the service flows, configure the system, partner profiles and firewall connections, and throw everything you can at it. This quality assurance period is critical to outlining each required (and potential) use case and data pattern.
  6. Deploy and support—The time between testing and production is critical because it is when operational challenges surface. Solicit your vendor’s professional services team to help with migration and implementation requirements and lean on their support teams to resolve issues upon deployment.

Read Dave Brunswick’s recent Journal article:
Protection From GDPR Penalties With an MFT Strategy,” ISACA Journal, volume 4, 2018.

Comments

Which MTF stands out and is IInternal Audit a stakeholder/partner in MTF implementations

Which of the MFT you are most familiar with that would have robust reports and analytics for the file transfers?
In your experience or that of your professional counterparts, how clued in is Internal Audit as an interested party and stakeholder from the control assurance perspective for the security of the data files?
Yolanda Baker at 9/5/2018 11:46 AM

We are most familiar with the MFT capabilities of Cleo Integration Cloud (CIC)

We are most familiar with the MFT capabilities of Cleo Integration Cloud (https://www.cleo.com/mft), a modern platform that enables flexible connectivity, secure data movement, and robust reporting and analytics for business file transfers. Such a solution jointly keeps data protected and multiple internal stakeholders informed. And while MFT traditionally has been viewed as an “IT initiative,” we do see organizations increasingly consulting personnel outside IT (line of business managers, EDI analysts, internal auditors) on the front end when issuing RFPs and evaluating solutions to ensure all – or at least most – enterprise-wide needs are accounted for.
Dave754 at 9/13/2018 2:37 PM
Email