Proactive Security: E-mail Archiving and Retention
If your organization does any type of business over e-mail, then you need to be saving every single e-mail sent and received from your e-mail system. Period. End of story. No way around it.
This need for this was something I had always been aware of, but wasn’t something I completed acknowledged until an IT strategy meeting with a local client. That client asked a pretty simple question; “If I am involved in some form of litigation and I have to show proof that an e-mail was sent at a certian time with specific content, and that this e-mail has not been tampered with, how am I going to make this happen?”
Unfortunately, this isn’t just one of those things that are nice to have….it’s required. Thanks to the Sarbanes-Oxley Act of 2002, public companies must prove:
“their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data. Companies must retain all correspondence created, sent, or received “in connection with an audit or review” of a public company for a period of seven years, during which time these records must be non-erasable and non-rewritable.This includes any “electronic records” such as email, particularly relating to subjects, departments or individuals involved in auditing procedures. Failure to comply is a crime, punishable by up to 10 years in jail.”
So what type of system can be implemented in order to make this happen? Well luckily, there is a whole section of the IT industry devoted to this. Some of the more popular products that achieve this goal include:
Any of these products and several more not listed can help you to implement a secure compliant method of archiving e-mail messages. These solutions aren’t exactly cheap, but the return on investment will come quickly when being able to reproduce an e-mail saves your company from a multi-million dollar lawsuit.
A key part of the SoX Act is “non-erasable and non-rewritable” … have you come across WORM media?
http://en.wikipedia.org/wiki/WORM
From what research I’ve done, SoX doesn’t require the use of WORM media. The only regulation that mentions use of this type of media is SEC Rule 17a4. Obviously you are going to be more secure in the archiving of data with WORM media, but it isn’t a requirement.
I would think an effective combination of WORM media used at longer intervals (quarterly or bi-annually) along with real time standard media archiving would be sufficient.
That is truly impressive. Seven years?
Chris, building on this concept. How can we eliminate unsolicited e-mail from our systems? This would include SPAM or other forms of communication that is sent into our system without authorization.
Also, keep in mind that in some situations we can not use white-listing, etc.
What e-mail filtering solutions are the best? Should we layer technologies and how? I thought these were some interesting things to consider.