Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
compliance [2019_04_11 18:43] – [Government] Updated G Cloud reference stevencompliance [2024_03_19 18:08] (current) steven
Line 1: Line 1:
-====== Compliance ======+====== Compliance Standards ======
  
 ===== GDPR ===== ===== GDPR =====
  
-Our products and services make it easier for our customers to comply with the European Union’s General Data Protection Regulation (GDPR). Storage Made Easy, as a company, is also compliant. +Our products and services make it easier for our customers to comply with the European Union’s General Data Protection Regulation (GDPR). 
- +
-For more information on the Compliance features of the File Fabric please see our [GDPR whitepapers.](https://storagemadeeasy.com/whitepapers)+
  
 The GDPR, which became active May 25, 2018, gives individuals (data subjects) in the European Union more control (rights) over how their personal data is used, and places obligations on businesses that process that data. The GDPR calls businesses that determine  what and how personal data is processed ‘data controllers’. Businesses that handle personal data only under the direction of a data controller are called ‘data processors’. Data controllers and data processors each have different obligations under GDPR. The GDPR, which became active May 25, 2018, gives individuals (data subjects) in the European Union more control (rights) over how their personal data is used, and places obligations on businesses that process that data. The GDPR calls businesses that determine  what and how personal data is processed ‘data controllers’. Businesses that handle personal data only under the direction of a data controller are called ‘data processors’. Data controllers and data processors each have different obligations under GDPR.
  
-In different scenarios, with different categories of data, Storage Made Easy and our customers may play roles either as a data controller or data processor.+In different scenarios, with different categories of data, Access Anywhere and our customers may play roles either as a data controller or data processor.
  
-==== Software (Enterprise File Fabric) ====+==== Software (Access Anywhere) ====
  
-Organizations who run the Enterprise File Fabric software in their own data centers, or on cloud platforms such as AWS EC2, Google Compute or Azure, are determining how personal data will be processed. Under GDPR, they are classified as data controllers.+Organizations who run Access Anywhere software in their own data centers, or on cloud platforms such as AWS EC2, Google Compute or Azure, are determining how personal data will be processed. Under GDPR, they are classified as data controllers.
  
 For information on how our software supports data controllers see [[gdpr-compliance]]. For information on how our software supports data controllers see [[gdpr-compliance]].
  
-==== Online Services (SaaS) ====+==== CCPA ====
  
-Individuals can create accounts through our online File Fabric servicelocated in the US and EU. Under GDPR, Storage Made Easy is a data controller for the personal data entered by those individuals in creating and managing the account.  However, for additional personal data entered by the account owner, including the credentials of their storage providers, content uploaded through the service, and for business accounts, member names and email addresses, the account owner is the data controller and Storage Made Easy is a data processor working under their direction.+[[http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375|AB-375]]California’s new privacy law came into effect on January 1st 2020. The CCPA allows anyone who resides in the state to access and obtain copies of data that companies may store on/about them with the right to delete the data as well as opting out of companies selling or monetizing their data.
  
-For information on Storage Made Easy’s responsibilities as a data controller, see our [Privacy Policy](https://storagemadeeasy.com/privacy).  For information on our role as a data processor see our [Data Processing Agreement](https://storagemadeeasy.com/data_processor).+Companies are required to comply with the CCPA if they comply with any of the following:
  
-==== Managed Services (IaaS) ==== 
  
-Storage Made Easy manages dedicated instances of our Enterprise File Fabric platform for our customers on a number of different public and private clouds including [Linode](https://linode.com)and [Memset](https://memset.com). Since the customer is determining what personal data is being collected and how it is being used, in this scenario, under GDPR, they are the data controller. For any personal data Storage Made Easy may be processing under their direction, Storage Made Easy is a data processor.+(iThey have gross revenues over $25M
  
-Information for data controllers can be found at [[gdpr-compliance]]. Storage Made Easy’s responsibilities as a data processor are outlined in our [Data Processing Agreement](https://storagemadeeasy.com/data_processor).  We also maintain subprocessor agreements with our platform vendors. Linode infrastructure compliance details and accreditations can be found [here](https://www.linode.com/compliance). Memset infrastructure compliance details and accreditations can be found [here](https://www.memset.com/about-us/security-compliance).+(ii) They are a for-profit company that does business in California and collect the information of more than 50,000 consumers, devices or households.
  
-==== Marketing, Sales and Support ====+(iii) 50% of their income is derived from selling personal information.
  
-Storage Made Easy acts a data controller for the personal data of individuals that we market to directlyengage in business with, and support. For more information on how we collect and process personal data for these individuals see our [Privacy Policy](https://storagemadeeasy.com/privacy).+Unlike the GDPR the CCPA doesn’t require companies to go through steps such as data collection consenthaving a valid reason to collect user information, or requires companies to minimize data collected, although this may occur in future revisions.
  
-===== Encryption (FIPS) =====+The Access Anywhere provides functionality that helps in satisfying CCPA requirements such as providing a mechanism to understand ‘who’ is accessing data, ‘when’, and ‘how’ through a combination of Access Anywhere's Audit event logs and Policies.
  
-The Enterprise File Fabric product’s cryptographic module has been validated by a third-party, as conforming to the Advanced Encryption Standard (AES) algorithm. The validation registration is [No. 4854](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/AES%234854). (#cmnt6)The AES algorithm, as specified in [Federal Information Processing Standard Publication 197, Advanced Encryption Standard](https://csrc.nist.gov/publications/detail/fips/197/final) (FIPS PUB 197), is used to protect electronic data. It is a symmetric block cipher that can encrypt and decrypt information with cryptographic keys. Storage Made Easy uses 256-bit keys (AES-256). AES is mandatory for electronic products and services provided to the federal government. It is also required by other highly secure organizations.+Additionally when connected to Access Anywhere data content is indexed so that it can be checked for PII / PHI which can then be flagged and quarantined until it can be dealt with. 
  
-For more information see [File Encryption](https://docs.storagemadeeasy.com/cloudencryption). 
  
-===== Government ===== +===== Encryption (FIPS) =====
- +
-The Enterprise File Fabric had been approved by the UK Government for purchase by public-sector bodies through the Gov.uk [Digital Marketplace](https://www.digitalmarketplace.service.gov.uk/g-cloud/services/251427856082223). The solution is available as Cloud Software (SaaS) and hosted on UKCloud Primary Storage and Computing as a Service infrastructure.+
  
-[UKCloud](https://ukcloud.comare National Cyber Security Centre Accredited and are Home Office/PASF assured facilities and data centres for "Blue Light" services. They also have HSCIC/NHS Digital N3 Aggregator status. UKCloud are also ISO 9001, ISO 2000, ISO 27001,   ISO 27017, ISO 27018 accredited.+Access Anywhere product’s cryptographic module has been validated by a third-party, as conforming to the Advanced Encryption Standard (AES) algorithm. 
 +The validation registration is [No. 4854](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/AES%234854). (#cmnt6)The AES algorithm, as specified in [Federal Information Processing Standard Publication 197, Advanced Encryption Standard](https://csrc.nist.gov/publications/detail/fips/197/final) (FIPS PUB 197), is used to protect electronic data. It is a symmetric block cipher that can encrypt and decrypt information with cryptographic keys. Access Anywhere uses 256-bit keys (AES-256). AES is mandatory for electronic products and services provided to the federal governmentIt is also required by other highly secure organizations.
  
-For more information see [Secure Unified File Sharing and Collaboration for UK Government Cloud](https://storagemadeeasy.com/gcloudready).+For more information see [[cloudencryption]].
  
 ===== Healthcare ===== ===== Healthcare =====
Line 58: Line 53:
 *   Ensure that there is compliance by the workforce. *   Ensure that there is compliance by the workforce.
  
-Ways in which the Storage Made Easy Cloud Appliance satisfies HIPAA:+Ways in which the Access Anywhere Cloud Appliance satisfies HIPAA:
  
 **Data Access**: This can be controlled using access control lists, to enable data to be only accessed by authorised personnel over https. Also IP GEO-restrictions can be implemented to restrict geographic access. The actual legislative wording regarding restricted access to data is: **Data Access**: This can be controlled using access control lists, to enable data to be only accessed by authorised personnel over https. Also IP GEO-restrictions can be implemented to restrict geographic access. The actual legislative wording regarding restricted access to data is:
Line 64: Line 59:
 “Allow access only to those persons or software programs that have been granted access right.” (Section 164.312(a)(2)(1)) “Allow access only to those persons or software programs that have been granted access right.” (Section 164.312(a)(2)(1))
  
-**Remote / Offsite Access to data**: Storage Made Easy provides a service which can be configured to be part of a disaster recovery plan enabling data to be accessed in the event of fire, flood, natural disaster, inadvertent deletions, viruses, hacking, theft or any other contingency. The actual legislative wording is:+**Remote / Offsite Access to data**: Access Anywhere provides a service which can be configured to be part of a disaster recovery plan enabling data to be accessed in the event of fire, flood, natural disaster, inadvertent deletions, viruses, hacking, theft or any other contingency. The actual legislative wording is:
  
 ”Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” (HIPAA, Section 164.308(a)(7)(i)). ”Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” (HIPAA, Section 164.308(a)(7)(i)).
  
-**Physical Security of Data**: Storage Made Easy supports over 55 clouds. Our [Cloud Appliance](https://storagemadeeasy.com/ownFileserver)can be hosted on Amazon EC2 and HIPAA data can be stored using the Amazon S3 data cloudFurther information on Amazon and HIPAA can be found in the AWS white paper [Architecting for HIPAA Security and Compliance on Amazon Web Services](https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf).+**Event Logging**: HIPAA solutions should enabled audit logging and drill down of file events to enable checks on file access and change and from which IP Address these were madeSuch audit and event logging is built into the Access Anywhere solution.
  
-**Event Logging**: HIPAA solutions should enabled audit logging and drill down of file events to enable checks on file access and change and from which IP Address these were made. Such audit and event logging is built into the Storage Made Easy solution. +**Encryption**: The privacy rules regulations describe ensuring data is encrypted when “in flight” and when “at rest”.   Access Anywhere and Amazon directly both support AES 256 bit encryption at a file level and data can be sent over secure channels.
- +
-**Encryption**: The privacy rules regulations describe ensuring data is encrypted when “in flight” and when “at rest”.   Storage Made Easy and Amazon directly both support AES 256 bit encryption at a file level and data can be sent over secure channels.+
  
 **Disclaimer** **Disclaimer**
Line 78: Line 71:
 This information is not intended to constitute legal advice.   You are advised to seek the advice of counsel regarding compliance with HIPAA or refer to the HIPAA section of the U.S. Department of Health and Human Services' website, which can be found at: [http://www.hhs.gov/ocr/hipaa/](http://www.hhs.gov/ocr/hipaa) This information is not intended to constitute legal advice.   You are advised to seek the advice of counsel regarding compliance with HIPAA or refer to the HIPAA section of the U.S. Department of Health and Human Services' website, which can be found at: [http://www.hhs.gov/ocr/hipaa/](http://www.hhs.gov/ocr/hipaa)
  
 +[[https://storagemadeeasy.com/files/beaf6033b72e3a7540e2f11839d01bb7.pdf|Download]] HIPAA Statement
 +
 +===== Auditing & Family Education Rights & Privacy Act (FERPA) =====
 +
 +FERPA is the federal privacy law for educational institutions and has regulatory compliance requirements for student educational records. 
 +
 +The Access Anywhere's detailed audit event logs and access polices can be used to help track 'who' had access to data , 'when', and 'why'.
 +
 +Note that FERPA compliance regulations specifically prohibit educational institutions from disclosing "personally identifiable education information" without a student's written permission.
 +
 +### Also See
  
 +[[cloudappliance:acceptable_use_policies|]]
 +[[security|Security Framework]]