|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
Compliance: The Proactive Approach
To be compliant requires a corporate strategy, a mindset, and a commitment
By
Joshua Konkle
|
|
Joshua Konkle
Technical Director, Data Management Group
Veritas Software
|
You hear the words and phrases repeated in legal offices, data centers, break rooms, and boardrooms: Sarbanes-Oxley (SOX), retention, regulators, act of discovery, compliance. The discomforting sound of compliance contains echoes of cost, complexity, inconvenience and potential penalties.
SOX unquestionably affects more IT organizations than other legislation or regulations because it touches all public companies in the United States. Research by the VERITAS Software Customer Advisory Board reveals that many companies see the Sarbanes-Oxley Act in terms of specific pain points:
? Management data must be tracked to provide full disclosure of activity within the enterprise computing environment
? Increased auditing and logging capabilities are needed to manage the added complexity of compliance
? Audit trails are needed so that every policy that is run or modified can be reported to auditors every 30 days
? Information assets and backups must be accessible for discovery
? Audit tracking and reporting is needed for capacity, performance, system status, patch management, and modifications
All these pain points have to do with the processes that compliance requires and the technical and workflow changes needed to put them in place. For most companies, this means additional investments in planning, purchasing, implementation, and administration. Tools exist today that IT managers can use to ease these pain points. We?ll be discussing these in a moment.
But there is a more fundamental pain point that companies are dealing with, and it arises simply because the Sarbanes-Oxley Act has yet to be widely enforced and is still untested in the courts. Uncertainty abounds. How does the Act apply to my specific business? How will it be enforced? What do I need to do to be confident that my company will be in compliance in the event of requests by regulators? Industry groups such as the Information Systems Audit and Control Association (ISACA), the Internet Law and Policy Forum (ILPF), and the Storage Networking Industry Association (SNIA) are working hard to remove the fuzzy edges from compliance questions and provide a clear picture of what is required and how companies can respond.
Then there are the ROI questions. Can the cost of compliance technology be justified? Would it not be more cost-effective to wait until compliance is an immediate need? Is it smarter to be reactive than proactive? Let?s look first at legislation that is the prime cause of these concerns.
Getting A Handle on SOX
SOX is the focus of legal and regulatory compliance for most companies, so we?ll target SOX for purposes of discussion ? although much that we say about SOX compliance applies to other legislation and regulations. It is the job of the SEC to enforce SOX, via Public Companies Accounting Oversight Board (PCAOB). And until SOX defines itself more clearly through enforcement actions and court tests, we have to do our planning, and any necessary modification of financial processes, based on prudent estimates of our exposure to risk. Our auditing companies can help us make these assessments.
The most fearsome teeth that legislators put into SOX are primarily in Title Eight: the Corporate and Criminal Fraud Act of 2002, which became part of SOX. Title Eight is generating the greatest concern among IT managers, corporate legal departments, and compliance specialists. Section 404, of Title Four Enhanced Financial Disclosures, is the Management Assessment of Internal Controls, and it gets a lot of press. It mainly has to do with controlling financial processes ? for example, the policies that control the way a company posts its accounts payable and accounts receivable, which are natural targets for an audit. Sections 103, 104, and 107 deal with audit and quality control standards, the involvement of registered public accounting firms, and sanctions such as censure of the Board.
Our conversations with VERITAS customers and with major auditing companies have convinced us that for public companies and their auditors to be in compliance with SOX they will need a retention process for electronic communications and certain classes of documents. So for most business organizations, SOX alone supplies powerful reasons for implementing a solution that archives and retrieves business messaging.
Although we?ve spotlighted SOX because it casts a wider net than other laws and regulations, your company may also be subject to state- or industry-specific requirements -- for example, SEC Rule 240.17 a-4(f), which requires securities brokers to store electronic business communications, including both email and instant messaging, for 3-6 years.
Furthermore, there is the reality of civil litigation. We live in a litigious society, and it seems that very few people today will pass up an opportunity to file a suit. It?s difficult for any company to hide from the government, the courts, and even their customers when it comes to having to do discovery and provide information. It?s estimated that every Fortune 500 company is dealing with 125 legal matters at any given time, and that three out of four of these require legal email discovery(reference 11/3/03 issue of Network World). Recent history tells us that the regulators who conduct the discovery process will always ask to view archived email.
Why the Proactive Approach Wins
Let?s get the reactive approach off the table right away. The cost potential of operating without a compliance strategy is staggering. If you rely on routine backup to retain records, and don?t implement an organized archiving solution, you will pay; while staff members or consultants sift laboriously through backup tape after backup tape. The cost of responding to a single demand ? for example, producing all the emails that mention the name of a certain product or company during a specified six-month period ? could easily pay for archiving and retrieval technology that makes compliance a routine matter.
Judges are not ignorant about discovery. They know that the information the court needs should be made available in a very short time, so they can impose extreme timelines on companies and levy penalties/fines under the law for tardy, incomplete, or poorly organized information. And as attorney Jeffrey Plotkin explains in a white paper on eDiscovery, in some cases the cost of court-ordered searches of scores of backup tapes have quickly run to hundreds of thousands of dollars.
Whereas backup simply protects you against disastrous data loss, a content archiving strategy organizes your data for retrieval as well, improving your company?s legal defensibility. When your company receives a court order to present information, the archiving solution should give you a highly-customizable, well-designed workflow that delivers what your legal department needs in a timely way. Because legislation requires that archives be protected in an unalterable state, the solution should be able to archive to a WORM device where it is legally secured and can?t be erased until the law permits it.
From the proactive viewpoint, then, investing in an archiving solution is like buying insurance to cover claims that are almost certain to occur. A single claim could more than pay for the TCO of your solution. Furthermore, the solution lets you and your executives sleep nights.
An effective email preservation archiving strategy, however, does much more to justify its cost than mitigating compliance risks. It also reduces IT costs and generates everyday operational efficiencies.
The Other Inherent Benefits of Smart Archiving
An effective software archiving platform also lets you set company-specific policies that govern which emails are migrated to the archive, when, and for how long. Basically, messages are archived on the basis of current value. You instruct the system to identify email that is clearly not business-related ? such as invitations to lunch -- and delete them so they aren't transferred to the archive at all.
You also tell the system how long to wait before automatically archiving messages. This period can range between immediate to days, weeks or months. You can factor in size, sending larger messages or messages with attachments to the archive earlier to preserve space on your faster arrays. Some of your archived content may be ?just in case? and not directly related to a law or regulation.
How long should you keep archived data? Long enough to cover any potential demand for information under the laws and regulations that apply to your business. Your legal counsel and auditors can help answer this question. But even if your company is in a self-regulated industry sector, you cannot afford to operate without data retention policies because litigation is always a possibility. When litigation arises, the court may order you to produce email correspondence that dates back many years. You need to protect your company from the very high costs of eDiscovery by setting data retention policies.
In setting up your archived solution, keep in mind that it should not penalize staff members who need routine or occasional access to archived messages. They should be able to find what they want using familiar email commands such as Reply and Forward. The archiving strategy should also enable you to migrate data to less expensive storage hardware on the basis of age or other criteria. You should pay less to store your little-used archives.
Ideally, the archiving platform you choose should be able to manage email and unstructured content generated by Microsoft Exchange, SharePoint Portal Server, IM, document management and file server environments. It should be highly customizable to your company's needs for information lifecycle management and scalable enough to accommodate any foreseeable growth.
To briefly review the benefits of taking the proactive approach by implementing an effective archiving solution:
1. It protects the company and its executives against the risks associated with legal or regulatory penalties and/or fines.
2. It minimizes the costs of court-ordered eDiscovery when litigation arises.
3. It structures archived data for rapid, routine retrieval.
4. It can pay for itself in a single act of discovery.
5. It mitigates doubt and uncertainty surrounding the need for compliance ? the peace of mind factor.
6. It enables the company to reduce IT costs by migrating older email to less costly storage ? while keeping it accessible.
7. It enables the company to set policies on the retention of email and certain document classes; avoiding ad-hoc disposition models.
Now: Back to the Pain Points
Now let?s go back and review the pain points we started with:
? Management data must be tracked to provide full disclosure of activity within the enterprise computing environment
? Increased auditing and logging capabilities are needed to manage the added complexity of compliance
? Audit trails are needed so that every policy that is run or modified can be reported to auditors every 30 days
? Information assets and backups must be accessible for discovery
The archiving solutions we?ve been discussing not only eliminate or alleviate these pain points ? they were designed expressly for that purpose. Your needs for a customizable system that simplifies compliance, automates data migration, reduces hardware costs, provides audit trails, and nevertheless keeps archived assets immediately available were the basis for these products. But we had one more pain point:
? Audit tracking and reporting is needed for capacity, performance, system status, patch management, and modifications
Software tools are available that track all these parameters, monitoring and reporting on application performance management at all levels from the data server to the web server.
In Summary: The Proactive Approach to Compliance Wins
Let?s be perfectly real about this. There is no silver bullet. No product or suite of products will make an organization compliant. To be compliant requires a corporate strategy, a mindset, and a commitment. An effective archiving strategy mitigates doubt and concern about the effects of compliance, enables companies to respond with confidence to regulatory or court orders, can pay for itself rapidly when demands arise, and offers everyday efficiencies and cost-savings. The proactive approach to compliance wins by turning obligations into opportunities.
Joshua Konkle
Technical Director, Data Management Group
Veritas Software
As Technical Director, Joshua Konkle is an expert with VERITAS? Discovery and Compliance products. In his current role, he interacts with customers to identify their business challenges and how to use software and IT services to address their issues.
Joshua has spoken at multiple business and technical venues on topics such as corporate governance and IT communications. He currently serves on the Board of Directors of the Data Management Forum and Chairman for the Compliance Advisory Group at KVS, Inc.
With more than 10 years in the communications and digital identity industries, Joshua?s expertise at both the business and technical level has been instrumental in helping our customers succeed.
|
|
|
|
|
