Score your file-transfer audit gaps.
Answer 12 operational questions and get a browser score mapped to DORA evidence, NIST CSF 2.0 outcomes, and CIS Controls. The report is intentionally practical: what is missing, what to fix first, and what a pilot should prove.
Every file-transfer flow has an owner and purpose
Counterparty, protocol, owner, data class, schedule, and business process are documented.
MFT providers are represented in the ICT third-party register
Provider, subcontractor, location, exit path, and service criticality are available for review.
Contracts include audit, incident, location, and exit obligations
Security obligations are written down, not only implied by vendor marketing pages.
Admin and user access uses SSO plus MFA
No shared admin accounts, local-only passwords, or long-lived external partner accounts.
Access is scoped per room, flow, role, or counterparty
Teams can prove who can read, write, approve, and administer each transfer path.
Files are encrypted in transit and at rest
TLS/SFTP/HTTPS transport plus storage encryption and clear key-management ownership.
Inbound files are scanned or quarantined before release
Unknown files do not land directly in business systems without inspection or approval.
Audit logs capture uploads, downloads, failures, approvals, and admin actions
Logs are usable as evidence, not only low-level server traces.
Audit logs are centralized and retained for at least 90 days
Logs survive server replacement and can be exported during security or audit review.
Failed transfers and suspicious activity generate alerts
Operations can detect broken flows, failed auth bursts, and stuck scheduled jobs quickly.
Incident notification ownership is defined
There is a named owner and timeline for notifying customers, regulators, or counterparties.
Recovery and exit procedures are tested
A team can move critical file flows away from the current provider without improvising.
Want the evidence-pack view?
Use the DORA page when the buyer needs article mapping and a pilot narrative.