|
|
|
Features
< Back
Sarbanes Oxley : Technology : Email
Email: The Appliance of Compliance
By
Alex Shipp
|
|
Alex Shipp
MessageLabs
|
Skyrocketing volumes are turning email from an indispensable communications tool into a double-edged sword with the power to cut business efficiency off at the knees. According to a recent report from the Framingham, MA based advisory group IDC, the volume of email sent annually worldwide exceeded one billion gigabytes for the first time last year. In more comprehensible terms, the average number of e-mails MessageLabs scans globally on behalf of 9,000 organizations now stands at 70 million per day.
This explosion in traffic is presenting new and significant headaches for businesses as email bandwidth, storage and security concerns become ever more difficult and risky to manage.
Making matters worse are new regulations introduced in the United States and abroad that followed corporate scandals in which business practices and executives failed to follow financial reporting and disclosure rules. The backlash from these high-profile scandals, which involved numerous Fortune 500 companies, prompted new corporate compliance laws, such as Sarbanes-Oxley here in the United States and Basel II in Europe. Audits will be conducted to ensure compliance with regulations and companies suspected of regulatory failures will be subject to investigations, fines, and, most troubling of all, civil or criminal charges.
These regulations are now being enacted to ensure that companies put and keep their houses in order. They are principally focused on introducing tighter regulation of internal controls over financial reporting and disclosure and are intended to strengthen existing privacy laws.
Equally important, they have dramatic implications for the treatment of written and electronic communications. Massive amounts of corporate information are communicated and exchanged via email every day and while those communications may be viewed as virtual-and as a result less consequential or tangible than traditional communications-they in fact need to be considered as permanent and indelible as any other "hard"or written communication.
For example, Sarbanes-Oxley, specifically outlines expectations for the management, retention and deletion of business records, which in today's environment includes email as many agreements, contracts and approvals are handled exclusively via email. Those who may still have doubts regarding the importance of treating email as any other "hard" communication only have to look at the December 2002 rulings that the New York Stock Exchange, the Securities and Exchange Commission and the NASD handed down after President Bush signed the Sarbanes-Oxley Act into law. Those rulings levied fines of $1.6 million against five U.S. companies for violating email record-keeping requirements. In the wake of those decisions, there can be no doubt that email is now a critical component of regulatory compliance.
Due consideration must therefore be given to email management to ensure it complies with privacy laws and meets requirements for monitoring and archiving electronic business transactions.
In the case of Sarbanes-Oxley, the requirements to maintain and certify adequate internal controls fall directly on the senior executives of a public company. False certifications, either through intention or malfeasance, can result in million dollar fines and 10-year prison terms.
There is a growing consensus that meeting the test of adequate internal controls in Sarbanes-Oxley requires a robust approach to email archiving. Effective email filtering can help ensure efficient spending on archiving by removing a large percentage of unwanted or spam emails from incoming traffic, thereby reducing their impact and the volume of information requiring processing and storage. In addition, when email filtering and protection is gained through a managed service, automatic email backup and archiving is included, along with important Internet-level protections that organizations of any size and industry can find beneficial.
While archiving email is important for compliance reasons, it also has value for legal reasons as well. As noted earlier, increasing numbers of business contracts, agreements, work approvals and other important documents are being handled electronically. Lose one of these stored emails and you lose the potential to defend your organization against legal action.
As people increasingly send and receive email using multiple devices, with copies of any message potentially able to reach anyone with online access anywhere in the world, the potential for information to fall into the wrong hands is a very real risk.
It is not just customer information that must be considered. In order to comply with the regulations, businesses must take appropriate measures to mitigate the risk of disclosing all valuable or sensitive organizational data. Unauthorized access to or distribution of financial reports, intellectual property or go-to-market strategies, can not only contravene laws but may also do substantial damage to an organization's credibility, bottom lines and competitive position.
Fortunately, comprehensive email management and security solutions can play a vital role in helping companies meet regulatory requirements and protect against legal actions. As a basic rule, companies are advised to make sure they seek proper protection from viruses and other malicious content, especially given the sophistication and malevolence of the new breed of converged viruses that have lately received significant media coverage. Proactive scanning at the Internet level can foster a safer working environment and offer protection against related internal security breaches and the possibility of mass mailing sensitive and confidential information when systems get infected.
Ultimately, much of the successful management of IT compliance lies in the effectiveness of the business processes and monitoring systems put in place. But just as prevention is better than cure, ensuring that proper email security measures are activated and maintained can go a long way toward easing the burden and the headache of complying with the regulations in the future.
Alex Shipp
MessageLabs
Alex Shipp is the leading email anti-virus expert and technologist for MessageLabs, where he oversees the team responsible for identifying, stopping and sounding the alert on new viruses. He was the architect and lead programmer for MessageLabs' world-class, global email security system, and is now the architect of and lead programmer for Skeptic (trademark), MessageLabs' multi-patented, heuristics scanning technology. Alex regularly presents at trade shows and technical conferences, appears on television and radio broadcasts and is regularly quoted as an expert by news agencies worldwide. His expertise is heuristic detection of malware and spreading patterns of mass - mailing viruses.
Alex's software was responsible for automatically detecting and stopping all the major mass mailing viruses of recent times, including LoveBug, AnnaKournikova, Nimda, SirCam, Goner, Klez, Yaha, BadTrans and Frethem, as well as all the minor ones that few people hear about.
|
|
|
|
|
