Sarbanes-Oxley and how it applies to e-mail archiving
I'm a network administrator with a small community bank in the north east. We're concerned about Sarbanes-Oxley requirements for record retention and how it applies to e-mail archiving. We currently have no archiving solution in place.
Management is proposing the following policy -- tell end users that they're responsible for archiving customer and vendor-related e-mail by BCCing those e-mails to a mailbox we set up on our Exchange server.
I'm concerned about leaving this responsibility up to the end-user. Would the policy proposed cover us for Sarbanes-Oxley regulations or should we look to archive all e-mail incoming/outgoing/internal using a third party product?
) increases the regulatory focus on proper record retention and is just one of many good reasons for taking a closer look at archiving
. Other reasons include industry-specific regulations, strategies for reducing litigation risks and discovery costs and the operational benefits of an intelligent archiving policy.
Of course, your institution should consult with its legal counsel and accounting professionals for specific advice
, including federal, state and local laws and regulations that may apply.
In this context, here are a few points to consider:
In general, companies should maintain a complete and accurate business record for internal use and external reporting -- including archived copies of electronic documents and communications such as e-mail.
The proposed policy -- making end users responsible for sending selected e-mail messages to an archive mailbox -- depends on the good judgment and consistent behavior of every end user, every day. To provide reasonable assurance of adherence to the policy, the firm would need to make a substantial ongoing investment in training, supervision, monitoring and enforcement.
The proposed policy does not guarantee that all relevant e-mail messages will be captured. So the firm could still face substantial risks and costs in the event of litigation discovery or a regulatory request -- e.g., for all messages related to a specific customer, vendor or employee during a 12-month period.
A more reliable strategy is to capture and archive all e-mail messages -- incoming, outgoing and internal. This approach provides the strongest assurance that all relevant e-mail messages are being captured and will help increase the confidence of internal and external auditors and regulatory authorities in the integrity of the resulting audit trail.
The first step is to assess your archiving needs in light of the regulatory, litigation and business drivers and to develop a records retention and archiving policy that includes e-mail as well as other documents and records. The policy should address what to save, how long to keep it and the required capabilities for protection, security and accessibility. Once you have achieved consensus on the policy, you can move confidently forward to solution architecture, design and implementation.
Depending on the number of e-mail users and servers involved, a variety of technical solutions might be appropriate.
For a small organization, it might make sense to configure the e-mail server for message journaling, i.e., force it to make a copy of every message that passes through the system and send it to a designated
"archive" mailbox. This would at least eliminate the dependence on
end-user selection and copying.
For a larger organization, a third-party archiving product can provide end-user productivity benefits and infrastructure cost reductions that will help justify the purchase -- in addition to higher levels of archive protection, functionality and accessibility for business and compliance purposes.
Ed note: If you would like to read additional compliance articles, opinions and expert advice, make sure to sign-up for our ALERTS on compliance. Click here to sign up. SearchStorage.com also offers alerts on low-cost storage.
This was first published in March 2004