Posts Tagged ‘email compliance’
Most users will agree that email is a mission critical business tool. Confidential business information, proposals, and contracts are sent via email daily all over the Internet, and most of our users never give a second thought to the sensitive, privileged, and sometimes even critical information that they are sending over an unencrypted transmission, there for anyone with a protocol analyser to read.
They may not even realise that they could be violating company policy, contractual obligations, or even legal statutes regarding the transmission of confidential information. All companies should have policies regarding the transmission of sensitive information through email. While a policy that prohibits any such information being sent using email could greatly reduce the chance of disclosure, the reality of business communications is that this is not a practical approach.
This is part one of a three part series, where we will discuss some of the issues that surround and influence securing email. In part two of this series, we will discuss the pros and cons of server side solutions; SMTP/TLS and routing email over VPN connections. And in part three, we will look at the pros and cons of client side solutions; PGP and S/MIME. If you’d like to understand more about why we would want to encrypt email, please read on.
Thanks for sticking with us, and welcome to part three of this series on securing email. In part one we introduced the challenge, and three influences; compliance, technology, and support. And in part two, we looked at SMTP/TLS and routing SMTP over a VPN for server side solutions. In this final part, we’re going to look at client side solutions to ensure we are securing our email from sender to recipient.
There are two standard ways to do this. Both utilise the services of a PKI, and will require client side configurations. As such we may also find that we need to work with yet another part of the IT department; our desktop support team. They own the desktops and will likely be responsible for the client side configuration necessary with either of these solutions.
When securing email using client to client solutions, we may find this to be the most challenging approach for a number of reasons. We will need to ‘touch’ the clients, and we will need to ensure that we are implementing a solution that is compatible with the recipient systems. On the server side, we can split up our SMTP exchanges, sending some out to the Internet in the clear, others over a VPN, and still others using SMTP/TLS. When working with client side solutions, we need to make sure that what we implement on our clients is the same as what our partner organisation has implemented on their clients. If we have two partner organisations where one chose S/MIME and the other went with PGP, then we may need to purchase both for all the clients that must communicate with both partners.
IT managers must account for many demands on their time and resources. Storage is always an issue and having to estimate the growth needs of the company and all the various departments can be a time-consuming and sometimes thankless job.
Estimating email storage needs can be started by making assumptions about the average size in bytes that attachments will require, the hours of day that the email servers will be the busiest and the number of users per email server. Those three variables multiplied together are a good starting point in estimating how much storage to allocate for email servers.
And the same computations can also be used when estimating how much storage to allocate for archiving purposes.
Archiving email messages can save an IT data center in many ways. Some of the reasons for archiving email messages include:
So you’re thinking of acquiring a new email archiving tool and need to craft an acquisition and implementation strategy. Here are some things you may want to consider.
Regulations, rules, requirements and product warranties can make buying archiving tools a minefield. By consulting with your corporate legal and compliance people, as well as your company’s business managers, you can get an idea about where those mines are buried. Moreover, you can use your efforts to educate yourself about what requirements must be met by your new tools to build support and acceptance among your legal and compliance people.
When garnering information from legal and business colleagues, it’s important not to lose sight of your role as a technology advocate. While it’s critical to know what your new archiving tools must do to meet compliance and warranty demands, it’s also crucial that those unschooled in the intricacies of storage management understand basic concepts, such as the distinction between backups and archiving and the hard and soft costs attached to storage.
Keep in mind that your new archiving tools need to do more that meet compliance requirements if they’re going to be accepted by your users. After all, you don’t want to trade one headache–jumping through compliance hoops–for another–a disgruntled user base that sees your new technology as an impediment to its doing its job.
In my previous post I wrote about Los Angeles’ decision to consider Google Apps for email and other applications. Although it gets attention for cost savings, there are some real concerns with email in the cloud, especially in government organizations that are required to comply with security and privacy policies and regulations.
The World Privacy Forum’s letter to the Mayor of LA went into some detail about why they don’t think it’s a good idea. Let’s take a look at some of the major points in WPF’s letter. The first four points address medical and health-related information, domestic violence and sexual assault information, substance abuse information, and sensitive information in general. The Google/LA deal doesn’t address any of these areas, or any of the regulations such as HIPAA, Violence Against Women Act, or 42 CFR Part 2 (a California law that regulates confidentiality of substance abuse program clients). The legalities related to compliance with these sorts of statutes when using cloud computing for sending and storing data are still fuzzy, and could leave the city government open to liability.
The benefits associated with archiving Microsoft Exchange email and associated data, creates many cost effective solutions. Archiving facilitates government regulatory or civil litigation searches for ediscovery requests. It also allows for more complete archive journaling, and provides storage benefits for both mailbox growth and the various storage devices that can be utilized.
Although lowering storage reduction costs is a common denominator for email archiving, compliance requirements are moving more companies to implementing archiving strategies. Depending on the motivation factors, cost savings on storage are subject to interpretation by different people. For some people, compressing email could reduce licensing, as well as storage hardware costs. For others it may mean creating a mailbox for end users, which has virtually unlimited space.
By the end of 2008, Canadian financial services firms were expected to become subject to tough, new email storage, retrieval and archiving laws. Those companies who were in non-compliance could face fines into the millions of dollars and face penalties that could land them into prison.
The Canadian Securities Administrators (CSA) organization had proposed legislation that would force securities dealers and portfolio managers to abide by stricter rules designed to force more secure archiving of emails. The costs of non-compliance included multi-million dollar fines, criminal indictments, and exorbitant e-discovery costs.
Canadian financial services firms – including securities dealers and portfolio managers – could incur these in the not to distant future if they violated the pending legislation proposed by the Canadian Securities Administrators (CSA).
Thirteen securities regulators of Canada’s provinces and territories make up the CSA forum that coordinates and regulates the Canadian capital markets.
The new, stricter proposal for e-mail storage and retrieval rules is known as National Instrument 31-103 (NI 31-103). Continue reading Canadian Securities Administrators
Something smells fishy in New Orleans, and it’s not the etouffee.
Political email scandals seem to be more plentiful than ever, and the latest focus is on New Orleans mayor Ray Nagin. It seems there are actually two controversies. The first revolves around the city sanitation director, who gave an attorney emails of council members who had been critical of her job performance. Nagin only said that the director’s actions were “unusual.” However, city policy appropriately states that electronic records, including emails, should be reviewed by and provided by the city attorney’s office.
Nagin also took the opportunity to try to explain away why two years of council email was even available to the sanitation department. On to the second controversy: Curiously, the controversy over the release of emails came not too long after the mayor had stated that all of his communications for 2008 had been deleted to save space. To save space! Ray, you’ve got to be kidding. Are you really that computer illiterate? Do you think we’re actually going to buy that the city of New Orleans couldn’t afford to buy an extra backup drive, or even a handful of writable disks for archiving your emails? After all the controversy about politicians deleting emails, you still did it? Surely, the good mayor knew that the emails could have been easily archived, and surely, he knew that good governance demands that records be kept. I want to know what you have to hide. Continue reading City emails treated casually in the Big Easy
Today, most enterprises turn to Email Archiving and Management (EAM) to reduce costs and control information overload. With digital information, specifically email and messaging mushrooming faster than most enterprises can manage it, EAM projects have become a cost of doing business. EAM is fast becoming a business necessity.
The “Email Archiving and Management Report“, published by CMS Watch, provides a clear strategy for your implementation team.
The domain of EAM is broad enough to touch multiple areas within your enterprise, including both technical and business departments. Managers have several common reasons to justify applying EAM technologies:
- To be proactive with legal requests and ediscovery requests
- To be in compliance with local governing requirements regarding information management
- To improve the performance of their e-mail environment (Exchange, Notes, or Groupwise)
- To reduce email volume on servers to reduce the need to buy more licenses
- To provide back up and disaster recovery for their e-mail system
- To improve storage management costs and needs
The marketplace keeps finding new reasons for applying EAM technologies. Compliance, for example, is a relatively new rationale. Traditionally, the sales and buying processes focused on systems management and storage requirements.
FederalComputerWeek is reporting that a federal judge has ordered the White House to search the computers of people who worked there from 2003-2005 for millions of missing emails from that period. Here’s an excerpt:
Judge Henry Kennedy of United States District Court for the District of Columbia also ordered officials of that office to collect and preserve any e-mail messages that were sent or received during that period. EOP officials are also to collect from the office’s employees any electronic media that may contain e-mail messages from that time and preserve them.
The order comes just days before the inauguration, when presidential documents are to be handed over to the National Archives for safekeeping to comply with the Presidential Records Act.
Two separate organizations are suing the White House alleging they violated the Federal Records Act (FRA) by not properly archiving emails. The groups allege that many of the missing emails may contain information about the Iraq war, FEMA’s response to Hurricane Katrina, and the Valerie Plame leak investigation. A White House spokeswoman says they will comply with the order.