Discover the best of the web!
Learn more about Digg by taking the tour.
E-Mail Retention & Sarbanes-Oxley White Paper
edgeblog.net — SOX section 802 has created a small nightmare for IT managers. SOX 802 imposes criminal liabilities on the improper destruction of business documents, including e-mail. This paper is a vendor-neutral guide for IT managers to design an e-mail archiving system that enforces SOX 802 compliance obligations.
bdognet- 9 diggs
- digg it
- bdognet, on 10/12/2007, -0/+0Executive Summary:
By far, the most important issues facing Information Technology (IT) managers this year are compliance and business continuity/disaster recovery. Public companies are subject to a variety of compliance and regulatory issues, such as Sarbanes-Oxley (SOX). IT must develop processes and solutions to support their company’s overall compliance strategy. E-Mail retention is a specific subset of the total compliance obligations a typical public company faces, but the risks involved with non-compliance are not well understood by most. Historically, businesses have considered document retention to be a liability.
The general rule of thumb was to keep documents the least amount of time possible.
Current compliance obligations are requiring companies to re-think this approach. SOX section 802 imposes criminal liabilities on the improper destruction of business documents. This change in attitude presents a unique problem for IT with regard to e-mail. Other documents, such as paper documents and documents on file shares, can be controlled by policy. File shares can be backed up and archived. Delete rights for individual files can be controlled. E-mail is different. Users typically have complete autonomy over message retention. Some messages are deleted immediately, thus they bypass scheduled backups. Other messages are kept too long, going beyond the business need and the compliance requirement for retention. IT must design e-mail systems that enforce company archive and retention policies regardless of user actions.
This paper contains a generic design of a compliance-focused e-mail system, supported by analysis of the users of the system and their compliance-related requirements. The conclusion of this paper includes a 30-point checklist that can be used to measure existing mail systems and evaluate new products. Compliance is a process, not an event. While this paper is a useful guide, it is a snapshot in time. IT managers must stay abreast of changing regulatory requirements, update the compliance checklist, and re-evaluate their systems on at least an annual basis.
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2008 —
Content posted by