Executive Summary: Sarbanes-Oxley: Worse than No Solution at All? - ' Making Documents More Reliable '
(
Page 3 of 3 )
Chaining trust
There are some generally agreed-upon attributes that increase the trustworthiness of an electronic record through its lifecycle.
But in a practical sense, what are the features to look for in a solution that creates a chain of trust linked to a record? What will pass muster as an acceptable electronic document control?
Let's consider some specific points about what a solution should offer in order to fulfill this important requirement.
1. The solution should offer as close to real-time snap shots as possible. The tighter the window, the less opportunity there exists for someone to muck about with the message or its contents.
2. Audit Logs should be both extensive and detailed. It is also imperative that the solution have the ability to sequence together e-mail trails from multiple sources. It has become standard practice for prosecutors to do just this operation in developing their cases. An effective defense and rebuttal may well depend on being able to do the same thing. Also, the audit logs should be exportable to archival devices (like WORM optical drives) to both demonstrate and assure the authenticity of the logs.
3. What about support for instant messaging? Compliance must be shown for this messaging structure if it is used, as well as for static e-mails. It is necessary for management, under SARBOX, to show positive informational controls no matter what form the information might take.
IM compliance tools can plug a big potential leak in the organizational information flow. Since there are multiple IM formats, a solution should be able to handle whatever IM system is used. Having this sort of tool available avoids the unpopular and unproductive (though perhaps legally necessary) option of turning unmonitored IM completely off throughout the enterprise.
4. What does the solution offer in additional security for the OS that it runs on? Windows is notorious for its security lapses, yet the majority of enterprises have adopted an "information security policy" to enforce data security.
Through this policy, a set of system level security parameters for various Windows based components (such as SQL, MSNQ, Exchange) has usually been adopted.
Not only is operational security improved with a component level policy, data integrity is enhanced as well.
Management must know if the control solution to be used is able to adapt to the policies that the enterprise has set.
One example of this kind of policy would be restricted user access.
The solution should then have access control available that can be set to validate users in accordance with the policies.
An operational control should not be the weak link in security that can become an entry point for unauthorized use.
For Windows, one additional technique used to enhance security by some vendors is to turn off ports and listeners (to fend off un-authorized access) as well as turning off unwanted and unnecessary services.
Also, unused legacy networking protocols should be shut down to eliminate back door exploits.
5. What measures does the solution take about assuring message authenticity? How will you know that the message that is stored in the audit log will be a valid copy of the original? Techniques like the use of checksums, matches and individual audits can serve to validate the authenticity of the message prior to storage.
These kinds of positive assurance efforts for message authenticity can be vital (if it ever comes to that) in showing that the chain of trust evidenced by the audit logs is unbroken.
6. The solution should also be able to extend the delete date of specific records if they are necessary for some ongoing process. For example, if certain records were involved in a lawsuit, can those records be "frozen" until they are no longer needed? A small point, but one that is a major operational convenience when it becomes necessary.
7. The review mechanism of the solution should work on copies of the message data, not the actual data itself. This means that tagging or marking e-mails for review will not corrupt or affect the original record. Review activity should generate its own database, one that is separate from the main one.
This will enhance the security and accountability of the review effort. Additionally, referees should not be allowed to view their own mailbox activity, raising the integrity of the compliance officer by avoiding any perceived conflicts of interest.
Summary
SarbOx places new regulatory and archival burdens on companies that they may not be able to perform without substantial changes in the ways that they do business, especially among small to midsize public companies.
At minimum, the accounting and auditing departments, C-level executives and those negotiating financial agreements will need to have their e-mails (as well as other communications like instant messages) retained and monitored for an internal control system that meets SarbOx guidelines.
Check out eWEEK.com's for the latest news, commentary and analysis on regulatory compliance.
test
