Roadmap to Email Archiving.pdf

(489 KB) Pobierz
Sherpa.ebook copy
Email
Archiving
By Sheila Childs,
Elliot King,
and
Kieran McCorry
sponsored by
and Compliance
Roadmap to
Roadmap to
Email
Archiving
and Compliance
104590071.004.png 104590071.005.png
i
Contents
Chapter 1: Regulatory Compliance
Kieran McCorry
Highlights from Key Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
PSTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Kieran McCorry
Archiving, Compliance, and Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 3: Is Your IT Infrastructure Compliance-Ready?
Elliot King
Checklist 1: Major Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Shockingly Risky Storage Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Elliot King
Inadequate Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Ignoring Email Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Elliot King
Elliot King
104590071.006.png 104590071.007.png
ii Roadmap to Email Archiving and Compliance
Sheila Childs
Kieran McCorry
All About Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
104590071.001.png
1
Chapter 1:
Regulatory Compliance
Practical advice for Exchange administrators
Kieran McCorry
The term regulatory compliance is in the everyday vocabulary of many individuals responsible for
designing, implementing, and managing Exchange email systems. A rush of legislation has come into
effect recently, and companies both large and small are seeking ways to make their messaging sys-
tems comply with the new directives.
However, the various pieces of legislation don’t explicitly define exactly how or when email
needs to be retained. This is a boon for lawyers who thrive on interpretation but is less helpful for
Exchange systems administrators who are looking for cost-effective, easy-to-implement solutions to
prevent them falling foul of the law. In this chapter, I look at some of the main provisions in the
most relevant pieces of compliance legislation and translate them as best I can into practical advice
for Exchange system administrators.
Highlights from Key Legislation
Table 1 summarizes some key pieces of legislation that are likely to be of interest to Exchange sys-
tems administrators. Some of the main provisions in these pieces of legislation clearly identify areas
that many Exchange administrators must address. Let’s focus on two of the better-known directives
mentioned in Table 1: the Sarbanes-Oxley Act of 2002 (SOX) and the Securities and Exchange Com-
mission (SEC) Rule 240 Section 17a-4 directives.
Table 1: Major Compliance Legislation
Legislation
Jurisdiction
Sector
Main Provisions
SOX
US and multinational
All companies traded
Particular focus on company
companies listed on US publicly on US stock
officers and finance personnel;
stock exchanges
exchanges; private company officerscan be imprisoned
companies in the accounting for up to can be imprisoned for up
and finance sector
to 20 years for willfully deleting an
email message in contemplation of
a federal investigation; requires all
correspondence (including
electronic records) related to an
audit or review of a public
company to be retained for 5 years.
Brought to you by Sherpa Software and Windows IT Pro eBooks
104590071.002.png
2 Roadmap to Email Archiving and Compliance
Table 1: Major Compliance Legislation Continued
Legislation
Jurisdiction
Sector
Main Provisions
SEC Rule 240
United States
Financial services
Records must be preserved
Section 17a-4
exclusively in nonrewritable,
(and National
nonerasable format; quality
Association of
and accuracy of the media-
Securities Dealers—
recording process must be
NASD—regulations
automatically verified; storage
3010/3110)
media must be serialized (i.e.,
stored in the order in which they
are processed, or at least have
meta-information to indicate the
order) and time/date stamped; you
must be able to readily download
indexes and records; a duplicate
copy of all records must be stored
separately from the original; records
must be retained for 6 years and in
an easily accessible format for the
first 2 years.
Financial Services
United States
Financial institutions and
Allows fines and up to 5 years
Modernization Act of
firms offering financial
imprisonment for company officers
1999 (aka Gramm-
products and services
if institutions do not “ensure the
Leach-Bliley Act)
security and confidentiality of
customer records and information”
and crucially “protect against any
anticipated threats or hazards to the
security or integrity of such
records.”
Basel II Capital
13 member countries of
Banking/financial companies Full data capture must allow
Accord
Basel Committee on
(the European Union—EU
operational risk factors to be
Banking Supervision
—will apply the same rules
identified and analyzed; processes
(mostly in Europe, but
to investment firms)
must have been in place from 2004
including the United
to allow implementation to begin in
States, India, and China)
2007 (2 years of data to be
available).
Freedom of
UK (other European
Government
Gives anyone the right to access all
Information
countries have similar acts)
information held by public bodies;
Act 2000
information that isn’t in the public
interest can be withheld.
Data Protection
UK
All
Requires an organization to release
Act 1998
all personal information held about
an individual within 40 days of a
request for same.
Brought to you by Sherpa Software and Windows IT Pro eBooks
104590071.003.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin