Data Privacy and Legislation
General Data Protection Regulations (GDPR)
As of May 2018, the European Union’s General Data Protection Regulations (GDPR) came into full effect. The GDPR replaces the Data Protection Directive 95/46/EC and is designed to strengthen and unify data privacy laws across Europe.
FMAudit has implemented a structured and comprehensive GDPR compliance program to help ensure readiness for the regulation when it took place and has on-going compliance post-implementation. The program consists of, among other things, training of staff, audit and risk assessment across the business, policies and procedures, governance and ongoing compliance. We encourage our customers to take similar steps to ensure their own businesses are prepared for the GDPR when it takes effect and also for the years to come.
For more information on GDPR, visit https://eugdpr.org/
Health Insurance Portability and Accountability Act (HIPAA) Regulations
Health Insurance Portability and Accountability Act (HIPAA) aims to protect all medical records and other individually identifiable health information that is communicated, stored, or disclosed in any form. This goal prevails whether the information is being communicated electronically, in printed format or verbalized.
The FMAudit products are fully compliant with the HIPAA regulations as FMAudit products do not store, process, monitor or manage any patient records or any records or information that are specific to any one patient or group of patients. The product engine communications are controlled, using limited access to contact a specific IP address and/or range. All communications must originate from the FMAudit products, and there is no way to contact and access the products from outside the network. The communication outside of the network uses a proprietary, compressed data stream that is sent using industry-standard SSL over HTTPS.
For more information about HIPAA, visit http://www.hhs.gov/ocr/privacy/
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a United States government computer security standard used to approve cryptographic modules. The standards describe document processing, encryption algorithms, and other information technology standards.
The FMAudit Onsite and ECI DCA data collection tool and FMAudit Central is fully compliant with FIPS regulations and
standards.
Sarbanes-Oxley Regulations
Sarbanes-Oxley compliance is not affected by usage of FMAudit Central, ECI DCA, or FMAudit Onsite software applications as FMAudit software is not intended to be used as part of an internal control structure as outlined in Section 404: Management Assessment of Internal Controls but will not interfere with these controls. Information Technology controls are an important part of complying with Sarbanes-Oxley. Under this Act, corporate executives become responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting. There are IT systems in the market that are designed specifically for meeting these objectives.
FMAudit software is not designed as an IT control system but will not interfere or put at risk other systems that are intended for that purpose.
For more information about Sarbanes-Oxley, visit http://www.sec.gov/about/laws/soa2002.pdf
Gramm-Leach-Bliley Act (GLBA) Regulations
Gramm-Leach-Bliley Act (GLBA) compliance is not affected by usage of FMAudit Central, ECI DCA, or FMAudit Onsite software applications as the use of FMAudit software applications are not seen to have an impact on compliance with the Gramm-Leach- Bliley Act (GLBA) for covered entities. This is because FMAudit software applications do not collect, house or transmit any information regarding the content of print jobs, so have no way of accessing, housing or transmitting customers’ personal financial information, even if this information is printed or otherwise sent to print devices monitored by FMAudit software applications.
For more information about the Gramm-Leach-Bliley Act, visit http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
Federal Information Security Management Act (FISMA) Regulations
Federal Information Security Management Act (FISMA) compliance is not affected by usage of FMAudit Central, ECI DCA, or FMAudit Onsite software applications as FMAudit software applications are not intended to be part of an internal control system for FISMA but will not interfere with these controls. The use of FMAudit software applications are not seen to have an impact on compliance with FISMA for covered entities. This is because FMAudit software applications do not collect, house or transmit any information regarding the content of print jobs, so have no way of accessing, housing or transmitting high risk information, even if this information is printed or otherwise sent to print devices monitored by FMAudit software applications.
For more information about the FISMA, visit http://csrc.nist.gov/groups/SMA/fisma/index.html
Payment Card Industry Data Security Standards (PCI DSS) Regulations
PCI DSS (Payment Card Industry Data Security Standards) compliance is not required for FMAudit Central, ECI DCA, or FMAudit Onsite software applications as the PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply to all organizations that store, process or transmit cardholder data. These organizations must be PCI DSS compliant.
The use of FMAudit solutions does not have an impact on PCI DSS compliance. FMAudit software applications do not store, process or transmit cardholder data or personal information. FMAudit solutions also does not collect, house or transmit any information regarding the content of print jobs, so has no way of accessing, housing or transmitting customers’ personal financial information, even if this information is printed or otherwise sent to print devices monitored by FMAudit software.
For more information about PCI DSS compliance, visit https://www.pcisecuritystandards.org/security_standards/index.php20
Transport Layer Security (TLS) Updated Protocol Compliance
Transport Layer Security (TLS) is a protocol that secures data communicated between clients/servers via the internet. It is a more secure version of its predecessor, Secure Sockets Layer (SSL). TLS provides data privacy and integrity, encrypting data to ensure no third-party can read or tamper with it while transmitted to a client/server.
A connection with potential weaknesses, such as TLS 1.0, could expose sensitive data such as usernames, passwords and credit card numbers. As a result, security standards like the Payment Card Industry Data Security Standard (PCI DSS) have been updated to require the use of newer TLS versions that address these weaknesses and use stronger encryption. As of July 1st, 2018, TLS 1.0 will no longer be compliant by PCI security standards and so merchants must update to TLS 1.1 or higher prior to this date to continue processing card payments. Again, it is important to note that PCI security standards do not apply to FMAudit solutions as the software does not store, process or transmit cardholder data. However, recommendations in the PCI security standards, specifically the use of TLS 1.1 and higher, may indirectly affect applications like the ECI DCA and FMAudit Onsite data collection agent that communicates via the internet.
ECI DCA and FMAudit Onsite was built on Microsoft .NET Framework 2.0, which originally did not support TLS 1.1 and TLS 1.2 because these protocols were released after it was created. Onsite v3.7.4 or newer supports TLS 1.1 and 1.2 if the latest Windows Updates and some OS-specific Hotfixes are installed. TLS 1.1 and TLS 1.2 are not available for Windows XP, Server 2003, Vista and Server 2008, so if TLS 1.0 is disabled on the Central server then these systems will not be able to communicate with Central. FMAudit Central v4.5 and newer include ECI DCA 1.4.0 and FMAudit Onsite v3.7.4 that will automatically attempt to install the required Hotfixes for each host OS version where the application is installed.