RightFax: The Compliance Tool
I am often asked by senior officers from many of our banking customers if RightFax has a specific accreditation or compliance. It’s often the case that the person asking the question doesn’t know what is meant by compliance or how the specific regulatory body or accreditation works.
In practice, many accreditations are in fact not applied to the software application but to the customer themselves. This is almost always a revelation to the customer. Once we and the customer agree that the goal is to help them achieve compliance with the use of a software tool—not get the software itself accredited—then we can start a sensible dialog about compliance.
In the financial services industry, security, integrity of data, auditing, preservation of data and retention cycles are some of the main facets of providing a healthy and profitable business. There are many accreditation schemes and levels that the bank or company can then use to measure their own level of service. And if their level of service is sufficient, they can apply to one of these bodies for accreditation.
We can often deploy RightFax to help a customer achieve the desired accreditation or compliance certificate. This is because it is relatively simple to draw parallels between each compliance requirement and specific features in our RightFax software. In carrying out this exercise, we effectively draw up and clarify a battle card of features and functions that support the compliancy requirements.
We recently did this for a customer in Luxembourg who wanted to achieve two new accreditations: L’Institut Luxembourgeois de la Normalisation, de l’Accréditation, de la Sécurité (ILNAS) certification for the company as a whole, and top-level accreditation within their organization against their in-house CIA (Confidentiality, Integrity, and Availability) rating.
The result of this involvement was a formal document describing our ability to support ILNAS with RightFax features. This document can be used as a basis for ILNAS qualification for other customers in the future. The main points made are listed below and you can get the full document from me.
E-Archiving and E-Retention
RightFax provides mechanisms to age and purge faxes in compliance with retention and disposition policies. These features are described in detail in the RightFax administration guide. This can also be enhanced when combining fax archiving from RightFax with other OpenText products such as Case360 and Alchemy, both of which provide professional-level records management functionalities. In addition to aging and purging mechanisms, RightFax provides the capability to notify senders of document retention periods and deletion milestones. It also provides the capability to store all audit logs for indefinite periods. These features meet a key requirement of ILNAS – please refer to section 5.2.3 of the “Technical Regulation requirements and measures for accrediting Digitization and/or Archiving Service Providers (PSDC).”
Encrypted and Certified delivery mechanisms are a key part of RightFax. In addition to these mechanisms, RightFax is fully compliant with well-known certificate authority and SSL schemes. Please see section 10 of the “Technical Regulation requirements and measures for accrediting Digitization and/or Archiving Service Providers (PSDC).”
Volume and Timeliness
As part of ILNAS, attention is paid to the tracking of document volume and the timeliness of notification to users. Many financial institutions use RightFax to manage transactions precisely because of its ability to measure and control traffic volume, and meet strict deadline requirements. Please see the RightFax Administrator’s guide and Annex D of the “Technical Regulation requirements and measures for accrediting Digitization and/or Archiving Service Providers (PSDC).”
Declaration and specification of system availability is also a key feature of RightFax. There are multiple mechanisms which enable RightFax to meet varying levels of availability. Please see Appendix 5: Business Continuity and OpenText Fax Server and Annex D of the “Technical Regulation requirements and measures for accrediting Digitization and/or Archiving Service Providers (PSDC).”
The following is a short list of some key requirements met by RightFax at “Customer” Nederland which gives it a CIA 1.1.1 Rating. A full report on RightFax’s CIA rating with the “Customer” is available upon request. In general, RightFax leverages Microsoft Windows security mechanisms.
- Authentication: Active Directory and Windows Integrated Security
- Authorization: Role Based Access level in addition to Active Directory to provide extra and more granular security if necessary
- Database Used: SQL Server 2008
- Database Credentials: Windows-integrated authentication
- Port Management: Only specific known ports open between RightFax services
- Data Management: Images stored as encrypted TIF – these images cannot be viewed by third party viewers
- Data Management SQL: Fax metadata is stored in a SQL Server database; this database can be encrypted
- Web Interface and Security: All web communication is over HTTPS and is controlled by Certificate Authority and SSL
- Resiliency and Recovery: RightFax provides multiple mechanisms for data redundancy, high availability and recovery. Please see appendices
Again, if you want more detail please contact me at email@example.com.