How to Reduce E-mail Compliance Confusion

Chief Information Officers (CIOs) and IT managers alarmed by recent stories about deletion of data by government agencies and financial services organizations are beginning to ask pointed questions about their own e-mail archiving solutions. According to e-mail compliance experts at Forensic & Compliance Systems (FSS), those questions are often well-founded.

"We have heard CIOs and IT managers ask, 'Are our e-mail systems compliant? Will they provide the forensic capabilities required for court submission? Are our e-mail policies creating compliance nightmares?'" says FSS CIO Andy Whitaker. "That last question is often a large cause for their alarm. Many e-mail archiving solutions claim to be compliant. But compliant to what? The answer very much depends on where you are located and in which industry segment you operate."

Whitaker warns that there are often numerous national legal regulations or industry requirements for organizations to follow in order to be truly compliant when archiving e-mail.

"Beware of so-called policy-based e-mail archive solutions," warns Whitaker. "Unless these cover everyone within an organization, without exception, they're not providing true compliance. e-mails from everyone who corresponds with an organization, inside or outside, often must be retained for the maximum length of time stipulated in any relevant legal or industry regulation."

He recommends that CIOs and IT managers consider three main features when assessing an e-mail compliant product for use within their organizations:

• Integrity -- Archived e-mail must be an exact duplicate of e-mail as it was received at the e-mail server. It must be protected from modification and deletion during the time it is retained in the e-mail archive.
• Privacy -- Archived e-mail must only be available to the sender and recipients of the e-mails or authorized e-mail archive administrators.
• Auditability -- Archived e-mail must generate an audit trail documenting any and all access to the e-mail stored, which must also be secure from tampering or deletion. The audit trail should log what actions were performed and what e-mails were recovered or viewed along with the identity of the person performing the search.
  

These considerations form the basis of FSS's Cryoserver Seven Point Expert Scorecard for Choosing an e-mail Archiving System:

• Point 1: Captures All -- If you cannot capture all e-mail data then you cannot be truly compliant.
• Point 2: Excludes None -- If you use complex policies and exclude some data you will not meet compliancy regulations.
• Point 3: Shows Tampering -- If a system isn't tamper proof and evidence of tampering cannot be determined then it cannot be compliant.
• Point 4: Audits Everything -- If you cannot audit or trace the who, what and why of an e-mail archive search then you can't be truly compliant.
• Point 5: Alters Nothing -- If data stored cannot be retrieved and proven not to be altered since stored in the e-mail archive then you are not truly compliant.
• Point 6: Controls Access -- If you cannot show control over access to the archive then you are not truly compliant.
• Point 7: Assures Forensics-Grade Reporting -- If you can't provide forensic grade reporting then you are unlikely to meet compliancy regulations.
  

"If the e-mail archiving compliance solution that a Chief Information Officer or IT manager is evaluating fails any of these seven basic points, he or she needs to look elsewhere," said Whitaker.