The new challenge for the enterprise is to determine where and how to implement these new solutions to ensure compliance with new regulations. Understanding how each regulation affects e-mail security and delivery is important to understanding the pressures all IT managers will be under in the months and years to come. E-mail Security Issues for Sarbanes-OxleyThe Sarbanes-Oxley Act of 2002 took effect in June of 2004 and requires CEOs, CFOs, independent auditors and audit committees to certify the accuracy, confidentiality, privacy and integrity of financial statements -- and the effectiveness of internal controls and procedures for financial reporting and disclosures. The most relevant sections of Sarbanes-Oxley to e-mail security are sections 404 and 802. Section 404 deals with internal controls, and requires organizations to implement controls over the release of information to individuals or organizations outside the companys network. Section 802 addresses records management, and how long and in what manner documents (including e-mail) should be retained. Sarbanes-Oxley does not detail specific steps organizations should take to comply with these regulations. Rather, it requires that companies implement programs that ensure the secure flow of information, and then to be able to document the success and deficiencies of those programs. There exist some programs that are commonly used as a basis for implementation.Corporations and business partners of companies affected by Sarbanes-Oxley, are required to ensure that sensitive information remains secure. Similar to HIPAA solutions, Insider information should not be accessible outside of the perimeter of a companys network. Encryption policies should be enforced whether a busy executive remembers to encrypt a message or not. Rogue employees should not be capable of transmitting sensitive financial information outside the network. Detailed reports should be available to auditors showing how the system has successfully protected the network and archived relevant communications. All of this can be handled swiftly with an e-mail governance policy and a central implementation mechanism. Without a mechanism in place, these requirements create a tangled web of complicated transactions and increased risk.Unlike HIPAA, however, Sarbanes-Oxley often creates a need for organizations to prevent end-user encryption of information because encrypted information cannot be filtered for inappropriate content or trade secrets as it moves through the e-mail servers and onto the Internet. E-mails should be sent to the server as clear-text, and only once the content has been cleared for release should it be encrypted according to the organizations policies.The need to enforce centralized content policies, as well as the need to provide detailed reports to audit committees, requires server-level control and administration. The servers should be flexible in terms of encryption technology in order to maximize the utility of e-mail, while at the same time the network should be defended from external attacks E-mail Security Issues for HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 21, 2003. The act is designed to protect the
0 Comments:
Post a Comment
<< Home