|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
E-Mail Control and Compliance:
Sarbanes-Oxley and the Corporate Messaging Infrastructure
By
Mike Rothman
|
|
Mike Rothman
VP of Marketing
CipherTrust
|
The bulk of information in virtually every modern company is created, stored and shared electronically?and e-mail has emerged as the transport backbone for this communication. In the past year alone, message volume has skyrocketed. In fact, according to the Radicati Group, the average corporate user sends and receives 14.7 MB of e-mail data per day in 2004, up 53 percent from the previous year.
The role of e-mail in Sarbanes-Oxley compliance cannot be overstated. Protecting E-mail in a systematic, repeatable fashion is critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement?all essential elements of compliance. Taking a more granular inspection of e-mail?s role in corporate information security reveals that it can make or break a company?s efforts to comply with Sarbanes-Oxley.
Sarbanes-Oxley Sweeps through both Corporate and IT Controls
The changes required to ensure Sarbanes-Oxley compliance reach across nearly all areas of a corporation. Gartner Research went so far as to call the Act ?the most sweeping legislation to affect publicly traded companies since the reforms during the Great Depression.? It has a direct impact on many areas of information technology, requiring significant changes and expenditures.
Before we dive into the details on Sarbanes and e-mail, here?s a quick refresher on the pertinent areas of the law. At the highest level, the Sarbanes-Oxley Act of 2002 and associated rules adopted by the Securities and Exchange Commission (SEC) require certain businesses to report on the effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandating the confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information.
Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004, though some with market caps less than $700 million may have qualified for a 45-day extension. All others are required to comply for fiscal years ending on or after April 15, 2005.
For IT departments, the new requirements are driving significant changes in the technology infrastructure underlying the business. In fact, in May 2003 AMR Research estimated that the Fortune 1000 would spend more than $2.5 billion in initial compliance. Since the bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion?s share of the responsibility for Sarbanes-Oxley compliance.
Intersection of Security Policy and Compliance
There is a natural intersection between best practice information security policies and the requirements found in Sarbanes-Oxley and other regulations. Information security policies should govern: network security, access controls, authentication, encryption, logging, monitoring and alerting, pre-planning coordinated incident response and forensics.
These components enable information integrity and data retention, while enabling IT audits and business continuity. In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that: they have reviewed quarterly and annual financial reports; the information is complete and accurate; and that effective disclosure controls and procedures are in place and maintained to ensure material information is made known.
No where is this intersection more apparent than in Section 404 of Sarbanes-Oxley, which regulates enforcement of internal controls. Management must show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition, the company must produce documented evidence of an annual assessment of the internal control structure?s effectiveness, validated by a registered public accounting firm.
By instituting effective e-mail controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step in the right direction with regards to overall e-mail security. Despite it?s evolution into a unique business-critical application, E-mail remains one of the most exposed areas of a technology infrastructure.
Nearly every major virus outbreak over the past two years has been propagated by e-mail.
And now, one of the fastest-growing types of fraud is phishing, which uses bogus e-mail and websites that bear a significant resemblance to a tried and true online brand. Typically, the victim provides information (personal or corporate) into a form on the imposter site, which then relays the information to the charlatan. Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, phishing attacks increased by 4000 percent, creating significant exposure to the potential dissemination of trade secrets and violation of federal legislation regarding confidentiality. All of which impact the compliance process.
E-mail: Access, Transport, Retention and Compliance
To effectively combat the intersection of security controls and regulatory compliance, enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.
An effective e-mail security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident at the company or on a remote site or machine. Given the wide functionality of e-mail, as well as the broad spectrum of threats that face e-mail systems, ensuring appropriate information access control for all of these points requires:
? A capable policy enforcement mechanism to set rules in accordance with each company?s systems of internal controls;
? Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of e-mail messages;
? Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
? A process that stores e-mail messages related to the financial process (as dictated in the compliance policy) for a specified period of time, and a method for rapidly and cost-effectively retrieving those messages from an archive.
? Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties
For years, corporations addressed their various e-mail security needs through a mixture of third-party software ?solutions? designed to address specific areas of vulnerability. Today, however, this approach is ineffective. New amorphous threats adapt to even the latest security technology, helping hackers and spammers stay a step ahead of most stand-alone protective measures. System administrators remain in a reactionary mode, waiting for the next attack and hoping their mixed bag of security software is up to the test.
The new challenges posed to e-mail security demand a new approach that protects enterprises from both known and unknown e-mail security attacks. And this forward-looking, proactive approach is exactly what is needed to maintain the effective internal controls described in Section 404. Specific financial information threats and vulnerabilities that need to be addressed include: malicious code (viruses, worms, etc.), unintentional or malicious information access or exposure and any system failures that could lead to legal liabilities.
To address these concerns, organizations are turning toward comprehensive messaging solutions that span the traditional functionality silos (different solutions for anti-virus, encryption, anti-spam, etc.). These combine everything from message privacy/encryption to e-mail firewall and intrusion protection to content filtering. This streamlines compliance with Sarbanes-Oxley information integrity requirements as they relate to protecting corporate financial information that is transmitted and stored via e-mail.
In the coming months, corporations will also need to start tackling other less obvious messaging arenas with similar impact, including instant messaging. As solutions mature, more automation will emerge, providing the ability to automatically match security and regulatory policies.
|
|
|
|
