H
My main concern besides the size of the upload (> 15GB) is that our financial data is being transmitted via FTP (the contents are actually in an encrypted .zip file) into an uncontrolled environment. I have no idea who has the data and what they are doing with it .
Hi - While I’m certain the vendor means well and desires to provide the best levels of support, I would recommend changes to strengthen security in the process. The key being the protection of the confidentially of any customer or financial data involved (which is a main theme of SOX 404).
Techniques can certainly vary in support programs, and the full upload may be needed at times to verify perhaps the entire integrity of a relational data base (e.g., indexes, views, referential integrity, etc). But it should be the exception rather than the rule, (e.g., only if the standard VPN approach doesn’t solve the problem and where the vendor has more industrial strength diagnostic tools at their site).
In your contractual arrangements, I’d ensure that the vendor uses a fiduciary approach as caretakers of any data being transmitted. They must not expose account information or privacy in any manner. Most vendors I’ve worked with adhere to these principles, but they should be constantly emphasized just to ensure there is appropriate awareness.
The changes make take and considerable discussion with the vendor. Keep expressing your concerns, as they are definitely security related and if financial information is involved there might be SOX 404 concerns as well.