Regulatory requirements are putting pressure on IT to develop policies and procedures for e-mail archiving and security.
By Jeff Brandes
E-mail is the lifeblood of modern commerce, and preserving and protecting e-mails is now a critical business function.
E-mail is crucial to internal communications, as well as to reaching suppliers and customers. According to the 2003 E-Mail Rules, Policies and Practices Survey, by the American Management Association (AMA), The ePolicy Institute, and Clearswift, the average employee spends 25% of the workday on e-mail, with 8% of workers devoting more than four hours a day to e-mail. Unfortunately, although e-mail remains highly cost-effective compared to other means of communicating, it is far from "free."
For one thing, e-mail archiving is becoming increasingly expensive. Thanks in large part to new regulatory requirements like HIPAA and SEC rules such as 17a-4, many organizations are now mandated to archive e-mail—in some cases for years—and be able to provide access on demand. Furthermore, there is the expectation that storage of e-mail be secure—eliminating the potential for tampering, unauthorized access, or inadvertent damage.
There are a number of solutions to the e-mail problem, ranging from carefully thought out policies and procedures to implementation of various software solutions and dedicated appliances.
Once upon a time, e-mail was rarely, if ever, archived. Administrators often implemented automatic disposal policies to save disk space or exhorted users to delete their own backlogs. But various events and legislation changed all that. Most obvious to the general public was the Enron scandal, which made electronic document retention a familiar concept to all. Indeed, according to the AMA study cited above, e-mail is now a primary source of evidence in high-profile discrimination, sexual harassment, and antitrust claims and is regularly used to bolster cases, embarrass organizations, and damage reputations. The AMA's survey of 1,100 US companies reveals that 14% of the respondents had been ordered by a court or regulatory body to produce employee e-mail, up from 9% just two years ago.
Despite growing scrutiny from courts and regulators, the AMA says most organizations are doing a poor job of managing e-mail business records and preparing for the likelihood of e-mail discovery. For instance, only 34% of employers have a written e-mail retention-and-deletion policy in place today. That's the same figure reported in 2001, 12 months before five Wall Street brokerages were fined a total of $8.3 million for failing to retain e-mail.
A new study by Osterman Research Inc. shows that many companies in regulated industries mistakenly believe regulations governing e-mail retention do not apply to them, placing them at greater risk of costly legal exposure and loss of critical information. EMC and KVS Inc., a provider of content-archiving software, co-sponsored the Osterman survey.
Osterman surveyed 100 North American organizations in a variety of industries, including financial services, government, and life sciences, ranging in size from 500 to 150,000 e-mail users. About 89% of the organizations surveyed were in industries that require e-mail retention, such as financial services. However, just 29% of those regulated companies believe they have a legal requirement to retain e-mail for a minimum period of time.
The Osterman report also revealed that only 57% of the surveyed companies have an e-mail retention policy in place, and in most cases, these policies still do not meet regulatory requirements.
Furthermore, the ever growing list of regulations applicable to e-mail—some actually dating back several years but only now coming into full force—have put more substantial consequences into the record retention picture. Financial, accounting, and healthcare organizations now have an array of regulations mandating extensive retention. For example, SEC rule 17a-4 states that "every member, broker and dealer subject to Rule 17a-3 shall preserve [certain records] for a period of not less than six years, the first two years in an easily accessible place." NASD, for its part, has imposed conduct rules 3010 and 3110, and the federal government has imposed the Sarbanes-Oxley Act of 2002.
Similar requirements relate specifically to the healthcare and pharmaceutical industries, including HIPAA and FDA regulation 21 CFR Part 11, respectively. And government agencies have their own set of record-retention requirements, including GRS-20, NARA 94-04, and NARA 98-02, the proposed standards of the ERWG (Electronic Records Working Group), and the records management transfer, screening, and destruction standards of DOD 5015.2.
Even individual states are getting into the act. As of July 1, 2003, a new California law, Senate Bill 1386, mandates that any person or business conducting business in California must report any breach of security resulting in the disclosure to an unauthorized person of personal information in electronic form. The law exempts encrypted data, presumably because the effort involved in encryption shows a commitment to maintaining data security.
According to Osterman, most industry regulations also demand that companies store information in a non-deletable format, but more than half of the companies in the Osterman survey have no mechanism in place to prevent users from deleting messages that must be kept long-term. Aside from the legal ramifications, Osterman points out that doing business without a comprehensive archiving policy severely strains a company's financial and human resources.
Osterman found that many companies with e-mail archiving in place do not have the means to quickly search for and produce specific e-mails. On average, restoring the oldest retrievable e-mail would require 9.6 person-hours—more than a full day of staff time to find just one message.
The seriousness of the problem is further underscored by Kasten Chase, a provider of data security products, which recently conducted The Storage Security Survey with support from, and the participation of, the eight corporations and storage vendors that make up the Secure Networked Storage Advisory Council. While the focus was not on e-mail archiving, according to the survey 94% of respondents indicated that their clients are increasingly concerned about the level of data security used to protect the confidentiality of their personal information. Furthermore, 97% of respondents agreed that customers and investors might lose confidence and trust in a company if it could not demonstrate that an appropriate level of storage security is being used to protect data.
Faced with these challenges and concerns, security vendors and end users are beginning to explore a number of approaches to solving the problem. These range from implementing and enforcing e-mail policies to acquiring software and appliances that are focused on e-mail archiving and security.
This changed environment is also altering storage practices. Once relegated to tape archives, optical disks, or file cabinets, in some cases so-called fixed content is being driven online, fueled by regulatory requirements, digitization of industries like healthcare and financial services, and the desire to leverage this content into new services and revenue streams. Just as the growth of applications such as computer-aided design (CAD) and the explosion of the Web drove the use of network-attached storage (NAS), the need to manage, protect, and access fixed content is now a driving force behind new kinds of networked storage. One of those is so-called near-line storage—defined by Network Appliance as storage "that provides quicker random access compared with offline storage," but isn't optimized for "the continuous, high-volume activity provided by primary storage."
Regardless of whether one is talking about digitized x-ray images or e-mails, fixed and archived content share common characteristics. According to EMC, all types of fixed content have three common attributes: long-term value to an organization, the need to remain unchanged, and increased value through fast access with assured content integrity. Solutions that deal with archiving need to address those three attributes.
Policies and procedures
While long traditions and legal precedent already ensure that most organizations are aware of and follow appropriate methods of protecting and archiving important paper documents, the environment for retaining electronic items is still evolving. It is vital that management fully recognize the need to treat electronic data with procedures that match what is applied to hard copy and that adequately address specific regulatory requirements.
With management support, appropriate policies and procedures can be crafted. For example, E-MAIL RULES: A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication, by Nancy Flynn and Randolph Kahn, Esq. (Amacom, May 2003), lays out a 37-point program for managing e-mails throughout their life cycle. This approach, while daunting, can ensure that e-mail retention efforts aren't haphazard and that money and time are well spent.
Purely on the storage side of the equation, according to the Storage Security Industry Association Forum (SSIF), a group affiliated with the Storage Networking Industry Association (SNIA), best practices are emerging in the area of policies. For starters, the SSIF suggests implementing policies that overlap and interlock to maximize the potential for compliance (see "How to conduct a storage security audit," InfoStor, August 2003, p. 43). More specifically, they suggest steps such as testing system upgrades on non-production devices, getting "references" on all new technologies, and performing periodic audits (e.g., examining system logs for unusual activities).
Some of the other suggestions from the SSIF include setting up zones within a storage network, enforcing strong password protection, using firewalls, cataloging all interfaces to the network, restricting access to infrastructure configuration functions, and always changing default passwords. (For more information, visit www.snia.org/tech_activities/storage_security.)
Of course, it is critical that policies have full management support. Equally important, policies must rely on the best available combination of hardware and software, and technologies should be employed to audit the results. That way human error won't undo best efforts to achieve best practices. Indeed, the example of California's newly passed Senate Bill 1386, with its exemption for encrypted data, might be considered an example of how proper policies can help shield organizations.
E-mail archiving and security can be achieved by any organization using available technologies and implementing management-supported rules, policies, and procedures. The applications available to assist with e-mail management are growing in sophistication but, as with any application, should be carefully evaluated to ensure a fit with an organization's needs and to ensure future scalability. Finally, end users and software providers should consider the simplicity and security offered by archiving and security appliances.
Jeff Brandes is vice president and general manager, distribution operations, at Network Engines (www.networkengines.com) in Canton, MA.
E-mail archiving: Representative vendors
While there is no one "magic bullet" for solving e-mail challenges, there are a growing number of solutions that can provide help. Here's a representative sampling:
BindView Corp., a provider of proactive business policy, IT security, and directory management software, offers BindView Policy Development to help organizations automate the development and distribution of security policies and deploy them across the enterprise. Similarly, BindView Standards Compliance and Regulatory Compliance helps organizations automatically measure compliance against industry standards, creating a state of "audit on-demand" against a variety of security standards, including Sarbanes-Oxley, HIPAA, GLBA, COBIT, and the CIS Benchmarks.
Clearswift, a provider of software for managing and securing electronic communications, delivers the capabilities for organizations to protect against e-mail and Web-based threats, meet legal and regulatory requirements, implement policies, and manage intellectual property passing through networks. The company focuses on establishing and enforcing "e-policies." Clearswift's software portfolio includes MIMEsweeper for e-mail and Web e-policies, ENTERPRISEsuite software for managing e-policies, and MAILsweeper for SMTP.
KVS Inc. is a provider of content archiving software. The company's flagship product, Enterprise Vault, aims to reduce storage costs and simplify the management of and enable the discovery of content in Microsoft Exchange and SharePoint Portal Server environments. KVS and EMC have partnered to create a specialized network storage system designed to meet regulated retention requirements. KVS has integrated its Enterprise Vault messaging archive software with EMC's Centera Compliance Edition content-addressed storage (CAS) system, allowing companies to better manage their corporate assets and ensure that e-mail storage policies are compliant.
Tumbleweed Communications Corp., a provider of secure messaging applications, recently completed the integration of its Message Monitor 5.2 software with EMC's Centera and Centera Compliance Edition CAS systems. Tumbleweed's e-mail content filtering solution can identify suspected violations of securities industry regulations based on lexical analysis and rules-based policy engines, providing productivity enhancements to organizations that need to process hundreds of thousands of messages per day. Message Monitor 5.2 now integrates directly with the EMC Centera API.