In the world of compliance, securing email is a lot like sex: everybody does it, few discuss it, and none really know whether their technique is quite right.
By comparison, many other compliance challenges pose relatively simple obstacles for IT staff. A finance application, for example, can be sealed off from workers without proper access authority, and tasks can be audited and automated to ensure proper segregation of duties and to minimize manual processes. Similarly, a whistleblower system can run behind the comforting anonymity of a third-party provider.
Email, however, is different.
Nearly ubiquitous and indispensable in Corporate America, employees have enormous power and freedom to decide exactly how they will use and leverage it.
Its distributed nature makes it notoriously difficult to control, and the regulations specifying its oversight are diverse and confusing: The Health Insurance Portability and Accountability Act
(known as "HIPAA") and the Gramm-Leach-Bliley Act, for example, aim to ensure privacy, while The Sarbanes-Oxley Act of 2002 aims for data integrity.
Technically, securing email no simple task; throw in regulatory compexity, and the challenge becomes even more daunting.
“The requirements around regulatory issues sometimes befuddle people, who say, ‘I’ve got to capture this information,’” says Tom Politowski, president of Waterford Technologies, a maker of security software in Irvine, Calif. “Actually, the capture is probably the easiest and the weakest part of what they have to do.”
So what's the hard part?
According to experts, the most significant challenges involve devising company-specific security controls to enforce business practices dictated by SOX, HIPAA and other regulations and standards.
When it comes to SOX, the most challenging provision for public companies has clearly been Section 404, which requires them to report on the effectiveness of their internal control over financial reporting. According to the internal control framework promulgated by the Committee of Sponsoring Organizations of the Treadway Commission—widely utilized by public companies for their SOX 404 work—internal control is "broadly defined as a process ... designed to provide reasonable assurance" regarding the achievement of several objectives, including the effectiveness and efficiency of operations. According to the COSO framework, that effectiveness and efficiency should addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources.
However, some would argue, you can't safeguard your resources if you can't safeguard your email. That's because most business decisions—not to mention the actual data—are discussed, transported, and stored
in corporate email systems. For most companies, ensuring that data cannot be accessed or tampered with is considered critical to the reliability of financial reporting.
But there are other issues at risk here, too.
Consider Sarbanes-Oxley's focus on segregation of duties. According to Compliance Week's monthly analysis of internal control weakness disclosures, approximately 30 percent of the weaknesses reported in 2004 were related to personnel issues, with many citing a lack of segregation of duties. On the organizational chart, managers can achieve theoretical compliance simply by hiring more people or re-assigning responsibilities. Such moves, however, can stick the IT department with complex challenges regarding user IDs, authentication, access privileges, and data encryption. In other words, just adding another body doesn't necessarily solve the problem—the access provided to the legacy individual needs to be modified or restricted, and email accounts need to be severed or added accordingly.
Email challenges become even more vast for companies that don't have a universal financial system that is deployed ubiquitously throughout the enterprise. That's because at those companies, including many smaller companies with less than $1 billion in revenue, it's not uncommon for business unit financials to be completed using Microsoft Excel spreadsheets, and then to be emailed—yes, emailed—to a global controller during the roll-up process.
Another Drastic Gap
But an optimum solution is tough to get at due to a dearth of information and best practices.
Sanjay Anand, chief executive of the Sarbanes-Oxley Group, a consulting firm in New Jersey, faults a combination of too little specific guidance about IT controls in frameworks like COSO, and too much chatter from software vendors all claiming they can solve a company’s email security problems.
Anand
“That’s where we see another drastic gap,” Anand says. “We’re having a hard time figuring out which pieces of technology are going to solve our compliance-related puzzle. It’s really that technology is moving so fast.”
That partly explains why many companies refuse to discuss email security and storage policies. Certainly they don’t want to disclose IT security details to potential hackers, and a degree of secrecy even with employees can be useful too. But, also, many still don’t quite know what to do about email-related compliance issues.
“We save everything—or, as much as we can, really,” says Ken Proper, deputy chief information officer at Taser International, the $67 million maker of stun guns. He divides the company’s electronic communications worries into two: Web traffic—including Hotmail and other anonymous Web-based email services—and email traffic.
“If you have one good tool for each, that’s really all you need,” Proper says. “If you have it configured right, you capture all your traffic in and out.”
If you think that sounds an awful lot like the strategy most companies used last year to comply with Section 404 of SOX, where they documented every control they could find just to be on the safe side with regulators, you’re right. In much the same way, executives would rather just archive every communication they make, and focus more on how to provide requested emails and other communications to regulators in a prompt fashion.
Or, as Politowski puts it: “A lot of companies say, ‘Oh, let’s just get a few big boxes and manage them, and call it a records retention system’.”
Indeed, a considerable part of Taser’s efforts consist of copying all its communications from the company’s two Microsoft Exchange mail servers onto a third server managed by Waterford software, and then running activity reports on that second database of emails, Roper says. The company has 300 users and can generate more than 10,000 emails a week; Roper creates weekly reports of email usage, volume and policy infractions, and has the system alert him to major aberrations.
Separate Pockets
A more sophisticated approach is not necessarily easy. Screening tools to catch errant emails abound, yes, but they are more helpful for compliance obligations such as HIPAA or the Graham-Leach Act, which primarily want to protect sensitive personal data from falling into the wrong hands. SOX is a different beast, in that it forces companies to worry about authorized users manipulating data in authorized ways.
Dunlap
“I think you’ll continue to see a large focus on identity management because of that,” says Brandon Dunlap, former chief information security officer at Constellation Energy Corp. and now director at Bindview Corp., an IT security software maker in Houston.
Dunlap worries that large enterprises establish authorization and authentication controls, but fail to tie them back into a central personnel database. “People are managing all these identities in separate pockets,” he says. When it comes time for an audit, “you’re gonna get whacked.”
Then there’s the matter of looking to various blueprints like the COSO or CobIT frameworks for guidance. Neither, Anand asserts, offer much help in deciding what IT security policies to adopt. COSO, for example, addresses risks that arise from poorly segregated duties—but it is silent on what might be good IT structure to prevent that.
For IT security, the frameworks “find you a place to start, that’s it,” Anand says. “If you’re looking for a be-all-and-end-all complete set of practices, it’s bad news for you.”
That leaves most businesses today following the obvious path: Warn employees that emails can be monitored, archive every message, and do periodic audits to see that rules are being followed. Tools to prevent infractions remain as elusive and fledgling for email as they do for any other realm of internal controls.
“Sarbanes is very much that harsh spotlight that gets shined around a room,” Dunlap says. “You find things that you didn’t normally know about, or things you thought were okay come under a much tighter scrutiny.”
We've made available related commentary and coverage in the box above, right, as well as directories of solutions providers and white papers. As usual, subscribers should contact us via email or toll-free at 888-519-9200 if we can help provide additional data or insights on this or other topics.
Websites
We are not responsible for the content of external siteshttp://www.complianceweek.com/_articleFiles/nixon-peabody-072704.pdf
http://www.pillsburylaw.com/Go/News.nsf/news-publications-recent/2409E8D1406AB3148525700500039A98/$file/E-Discovery%20Vol%201617%20No%206172%2005-17-05.pdf
http://www.reedsmith.com/upload/SEC%20Update%202005-18.pdf
http://www.fulbright.com/images/publications/Brownlee%20&%20Cozart%20Corporate%20Counselor%20Article%20(June%202005).PDF
http://www.parkerpoe.com/publications/pub.cfm?pubid=801
http://www.pepperlaw.com/pepper/publications_update.cfm?rid=446.0
http://www.dlapiper.com/usfiles/tbl_s47Details/FileUpload265/1198/contour1.pdf
http://www.complianceweek.com/index.cfm?fuseaction=page.viewPage&pageID=94&nodeID=1
http://www.complianceweek.com/index.cfm?fuseaction=Page.viewPage&pageId=194
No comments yet