|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
Pulling Up Your SOX
Is your organization compliant?
By
Gregg Mastoras
|
|
Gregg Mastoras
Senior Security Analyst
Sophos
|
Non-compliance can do substantial damage to an organization?s credibility and competitive position, and legislation like the Sarbanes Oxley Act is forcing organizations to change the way they manage information from an IT standpoint, writes S-OX.com guest columnist Gregg Mastoras, senior security analyst at Sophos Inc.
Recent legislation is the first step in addressing a range of problems, such as corporate fraud and violations of privacy, which arise when organizations abuse the way they manage information.
In more than sixty years, organizations have not seen such a high number of business-focused legislative acts. The news is filled with instances of false profits, fraudulent accounting practices, insider trading, and private use of company funds. While most companies are aware of the financial penalties of non-compliance, these costs may turn out to be negligible as the media and investor communities begin to scrutinize non-compliant firms, forcing companies to assess the adequacy of their internal controls.
Overseen by the Securities and Exchange
Commission, the Sarbanes Oxley Act (SOX) holds corporate officers responsible for the accuracy of financial statements. In particular, the act states that management must prevent ? or detect in a timely manner ? unauthorized acquisition, use, or disposition of systems that could affect financial data. It also specifies the kinds of records companies must keep and how long they must keep them.
In the world of compliance, record keeping and maintenance are critical parts of the process. SOX requires public companies to establish, document, and assess the effectiveness of their internal controls and procedures over financial reporting.
According to Forrester Research, micro-sized companies will spend up to $4.7 million and large companies will spend up to $45 million just to comply with SOX. Furthermore, the Sarbanes-Oxley Forum held in September 2004 reported that almost half of US businesses have not created plans or implemented actions towards compliance. The challenge of SOX and other regulations lies in that they are not always easy to understand and that the rules are still evolving.
SOX: the role of security and record retention
Sarbanes-Oxley requires organizations to implement controls over the release of information to individuals or organizations outside the company?s network, and implement policies that define how long, and in what manner, electronic communications should be retained. The ruling does not detail specific steps organizations should take to comply with these regulations. Rather, it requires that companies implement programs that ensure the secure flow of information, and then to be able to document the success and deficiencies of those programs.
Two themes concerning information integrity dominate the language and tone of SOX: internal controls and record retention.
Internal controls call attention to issues around design, operation, audit ability, management assessment and reporting. As companies review their networks prior to an internal audit, evaluating and protecting all assets ? even those less susceptible to compromise ? should be a focus.
Secondly, record retention addresses the rules around retention of documents that are created, sent or received relating to an audit or review. Companies must establish clear e-mail retention policies, and the IT department must ensure that these policies are followed. Few companies have strict guidelines in place, which exposes them to legal and regulatory violations.
Companies are uncertain how to keep email compliant under SOX standards, and are choosing to save everything, putting themselves at increased risk when or if litigation ensues. Furthermore, retention is not just about archiving, but also about retrieval. Saving all correspondence leads to obstacles when asked to deliver only relevant documentation. Finally, the costs of retaining and maintaining this documentation overwhelms the cost of implementing a policy framework to retain documents selectively, which is a critical element of an overall compliance architecture.
Gartner Dataquest undertook a study of 300 companies and organizations in North America during the fourth quarter of 2004. Some of the key findings include:
? Nearly two-thirds of respondents currently have, or will have within 12 months, a business policy defining the retention period for e-mails. For most respondents, the policies will affect all e-mail users, not just selected employees. For some companies, the e-mail retention policy is part of an overall records management policy. For others, the e-mail policy is a first step in building a broader policy.
? One-third of the respondents have a policy whereby all e-mail messages are systematically deleted from the active e-mail application data store after 90 days. For some, this is their e-mail retention policy as well. For others, this is a way to keep the active data store small, but messages are kept outside of the e-mail data store in an archive for a longer period to meet legal, regulatory or company-specific retention requirements.
? Respondents rated automating archiving policies as the most important archiving control feature. The ability to archive instant messages was considered least important. *
According to Gartner, ?e-mail retention policy is set by a company's compliance and legal officers and implemented by the IT department...Most companies will choose to retain everything to guarantee that needed records are retained. As better tools evolve, companies will implement a selective retention policy,? but today there are three common approaches to e-mail retention:
? Save nothing ? Delete all e-mail after a specified number of days
? Save selected e-mail ? Save those e-mails that are corporate records or that contain valuable business information
? Save everything ? Retain all e-mail
Although the save nothing strategy ?may appear to be the easiest approach to dealing with e-mail, this policy requires employee training and a clear IT plan that involves more than just implementing a purge program....Beyond the deletion of messages in the e-mail system data store and all related backup copies, messages that have been copied by the user to his or her hard drive or personal space on a shared server must be deleted. Employees must be directed not to save e-mail on private media or by sending to personal e-mail accounts.?**
For the save selected e-mail strategy, the decision to retain or delete an e-mail should be made based on its content. Categorizing and indexing e-mail requires the end user to judge its worth to the company and understand the various ways that an e-mail can be parsed (such as by keywords, metadata, attachments or other heuristics). It is essential to find the right expertise to create retention schedules and rules to move messages into the managed repository.
Many companies have determined that the safest strategy is to save all e-mails. Spam filtering can be used to reduce the number of unsolicited junk e-mails. The goal is to retain relevant e-mail for the longest length of time dictated by corporate policy or regulations using tiers of storage depending on the age of the e-mail. The archive will provide a complete record of all e-mail sent or received, and be used to retrieve regulated messages and respond to litigation.
Audit firms determine compliance
Whether it?s concern over what an audit committee might view as ?reasonable assurance regarding prevention or timely detection? or the fact that they simply need to check the box ? compliance is a focus area. Many audit firms are not technically savvy and don?t have detailed understanding of the implications, which confirms the need for a fairly conservative approach.
It should not be assumed that a discussion with your audit firm around the low potential of corrupted or lost data will be straightforward. Corporate management must understand that the audit firms themselves are subject to as much, if not more, regulation as the companies they serve. The new rules produced by the SOX Act will make any audit firm particularly sensitive during the initial rollout of any new rules.
Organizations are responding to these regulations, trying to determine what data to keep, how long to keep it, when to divulge it and how to guard it. As email passes through the gateway and across servers, it brings unique compliance challenges. IT teams must implement information security mechanisms for network protection against email-borne threats, including viruses, spyware, Trojans, phishing, and pharming. They must also develop and enforce email security rules in order to ensure collection and dissemination of the right information. Finally, they must have systems in place to verify that they are satisfying legal obligations.
Compliance Strategy
Organizations are being inundated with ?compliance helper? products. Unfortunately, these single-purpose tools do not offer the kind of comprehensive solutions required to address broad security issues across the organization. To ensure compliance with current and future legislation, organizations must establish a comprehensive IT security strategy for compliance, keeping the following goals in mind:
? Information security: At the heart of SOX is the need to protect information. Nothing should alter original data, and there must be a clear alert in the event of any attempt to modify or destroy information.
? Email security: There are three key aspects to protecting email. Organizations should maintain the confidentiality of important content; all email should include consistent legal information across recipients; and, to succeed fully, email policy enforcement must ease retrieval and monitoring efforts.
? Proof of control: Key to satisfying regulations is the ability to prove that compliance efforts are working. Event logs, audit trails, and reporting are critical to meeting this goal.
Protecting data integrity
Viruses, malicious spyware, and other malware can compromise the most carefully managed data. The current state of ?blended threats? is exacerbating the problem. A blended threat can combine worms, viruses, Trojans, and/or spam. It usually causes more than one kind of problem, such as damaging an operating system, installing a backdoor, and/or corrupting a data source. It employs multiple attack methods: infecting EXE files, modifying registry keys, and altering HTML files, for example. Finally, it replicates and spreads through several routes, including email, IRC channels, file-sharing, and downloading.
Preventing data corruption
Some anti-virus solutions clean out threats as they come in via email. Others detect viruses on external data sources such as CDs, network servers, and online downloads. To be effective, your data security schemes must take a multi-tiered approach to protecting gateways, servers, and desktops.
Make sure any solution you consider addresses all parts of your network. It is not enough to protect your workstations and desktops; it is also critical that you guard your gateway to contain threats at the network gateway. As the velocity of attacks increases, preventing viruses from getting to your network should be a top priority. For example, the SQL Slammer virus spread to 250,000 servers in ten minutes.
Your efforts must also acknowledge the inherent vulnerabilities of network servers, especially UNIX/Linux platforms. A UNIX or Linux file server can be a ?carrier? that passes viruses along the network, infecting more susceptible Windows systems.
Legislation seeks prudent protection to foreseeable threats such as the increase of viruses affecting UNIX/Linux platforms. Many companies have determined that SOX requires anti-virus protection on every server that manages financial data.
Compliance is not just a matter of end-of-quarter reports. You need real-time check-and- balance mechanisms to confirm that technology and procedures are actually protecting data and recognizing security breaches.
Anti-virus solutions must alert supervisors immediately of threats affecting the network. In addition, you need a real-time view of the status of every device in the network. You must be able to ascertain which devices are protected, which need updating, and which, if any, have been attacked. Automatic updates and centralized installation ensure continuous protection.
Policy enforcement
Policy enforcement, or the ability to manage email, helps enable organizations to define rules that expedite email traffic while protecting the organization. Policy capabilities included in enhanced gateway solutions can help address concerns around compliance with SOX.
There are several aspects to controlling data distribution. Firstly, information should not go to the wrong entity. Secondly, the correct information ? together with any standard language ? must go to the required entity. Finally, as the volume of email and spam rises daily, it is imperative that companies find ways to identify and save compliance-related communication while filtering out other messages and attachments.
Gateway protection policies should prohibit the distribution of inappropriate content and attachments and restrict unauthorized parties from viewing corporate data. By filtering out spam and malicious content, policy controls for inbound and outbound email can reduce the volume of email that compliance scanning, archiving and encryption systems handle. Policy controls can also look for common patterns and combined, pre-determined keywords that suggest a message might require retention.
In an effort to comply with regulations, organizations are writing policies that specify the format and legal statements that must be part of every email. Unfortunately, it is impossible to guarantee that every member of an organization presents data in a consistent format with the correct legal language. Policy enforcement at the gateway can be customized to scan email for particular keywords or attachment types and apply formatting and text per company-specified rules. More complex scenarios can be covered through the administration and control of virtually every aspect of an email message.
Some organizations are capturing the content and header information for each email transmission that comes in and goes out from their email servers. You must record all real or intended breaches of security and policy including who didn?t follow which policy on what date, how many times the filters caught inappropriate content, what caused an unintentional or undesired disclosure of financial information, when the file was corrupted and what the source of the virus was. With policy controls in place, detailed transaction logs can provide the information you need to meet internal control documentation requirements.
No matter which legislative requirements you are striving to meet, you must implement a comprehensive approach to compliance that affects all areas of your business. The combination of a multi-layer security architecture, powerful policy tools and strong vendor support can go a long way to expediting your success and protecting your assets both in the long and short term.
*Extracted from ?User Survey: E-Mail Archiving Products and Services, North America, 2005? (Executive Summary), Gartner Dataquest Research Note, February 4, 2005, C. DiCenzo and A. Couture
**Extracted from ?Companies Choose Different Approaches to E-Mail Archiving?, Gartner Research Note, April 12, 2005, C. DiCenzo and K. Chin
Gregg Mastoras
Senior Security Analyst
Sophos
Gregg Mastoras is a senior security analyst at Sophos Inc. and has worked in the technology industry for more than a decade.
Prior to joining Sophos, he held various senior management roles in product marketing and product management at Lightbrdige, Luent Technoloiges, and CSC. Mastoras has a Bachelor of Science in Mechanical Engineering from Tufts University, a Masters in Engineering Management from Northwestern University and an MBA from the Kellogg School.
|
|
|
|
|
