LiquidFiles Documentation
LiquidFiles Documentation

Compliance

Is LiquidFiles compliant with PCI, SOX, HIPAA, ISO 27001, ...?

In short: Yes — LiquidFiles can help you achieve compliance with almost any standard you wish to adhere to.

Overview

Often, it seems that when we get asked if LiquidFiles is compliant to a specific standard that the organization is hoping that by simply installing LiquidFiles in their environment that it will take care of all compliance requirements when it comes to secure file transfer. And although LiquidFiles can meet almost any technical security control posed by standards and auditors, it's unfortunately not as simple as just installing LiquidFiles and you'll be compliant.

Firstly, LiquidFiles is a product that is installed in your environment, on your hardware or virtual platform, on your network infrastructure, behind your firewall(s), IPS's, Reverse Proxies and so on. From a compliance perspective that means that all components needs to be compliant. If you for instance install LiquidFiles on the same network as other systems that transmits anything in cleartext you will most certainly fail certification regardless of having LiquidFiles.

Standards are also very rarely specific and instead filled with generic language such as the following lifted from HIPAA:

Person or entity authentication — §164.312(d):
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Does this mean that username/password or does this require two factor authentication? That is absolutely not clear and what ends up happening is that auditors are required to interpret the standard and what it means for your industry and your organization. LiquidFiles has the capability of supporting both username/password and two factor authentication, whatever is required. But it is up to the auditor to determine what is needed in your situation.

Also, information security standards are mostly about the organisation and very little about technical controls that would involve a product like LiquidFiles. ISO 27001:2022 has 93 controls organised into four themes:

  • Organisational Controls (37 controls) — policies, governance, roles and responsibilities, supplier management, incident management, business continuity, legal compliance.
  • People Controls (8 controls) — screening, employment terms, training, disciplinary processes, remote working.
  • Physical Controls (14 controls) — physical perimeters, entry controls, facility security, equipment maintenance and disposal.
  • Technological Controls (34 controls) — access management, cryptography, network security, logging, malware protection, secure development.

As you can see, the majority of these controls are about your organisation's policies, people and physical infrastructure — none of which a software product can address. LiquidFiles primarily maps to the Technological Controls and a handful of access-related Organisational Controls. While installing LiquidFiles will certainly help you achieve strong security for transferring files, it won't do anything for your human resources security, physical security or the other organisational components that make up an Information Security Standard.

Detailed Compliance Mappings

We have created detailed compliance mapping pages for the most commonly requested standards. Each page explains how LiquidFiles addresses the relevant technical controls, clearly identifies what is your responsibility as the operator, and includes a downloadable spreadsheet you can provide to your auditors.

  • ISO 27001:2022 — mapping of all 93 Annex A controls, focusing on the 34 Technological Controls (A.8).
  • SOC 2 — mapping of the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
  • Sarbanes-Oxley (SOX) — mapping of Section 404 IT General Controls (Access, Change Management, Operations, Backup, Logical Security, Segregation of Duties).
  • HIPAA — mapping of Security Rule safeguards (Technical, Physical and Administrative) under 45 CFR §164.
  • PCI DSS 4.0 — mapping of all 12 requirements covering network security, data protection, access control, logging, vulnerability management and secure development.

Conclusion

We have lots of customers that have used LiquidFiles to achieve compliance to various standards such as PCI DSS, SOX, HIPAA and ISO 27001. You will still need to get your environment certified to ensure that you meet your security requirements according to the standard you want to adhere to, but LiquidFiles will give you strong coverage across the technical security controls that auditors look for in a file transfer solution.