The Wave of Regulations --E-mail Management Presented by Lillian.

The Wave of Regulations The Wave of Regulations --E-mail Management--E-mail Management

Presented by LillianPresented by Lillian

OutlineOutline

MotivationMotivationRegulations IntroductionRegulations IntroductionCommon Concepts and Their IssuesCommon Concepts and Their Issues IT Applications of Common IssuesIT Applications of Common IssuesRegulations ComplianceRegulations ComplianceConclusionConclusion

MotivationMotivation

The Importance of Regulations ComplianceThe Importance of Regulations Compliance

What’s the Price?What’s the Price?BEHAVIOR SENTENCE

The alteration, destruction, concealment of any records with the intent of obstructing a federal investigation.

Fine and/or up to 10 years imprisonment.

Failure to maintain audit or review “workpapers” for at least five years.


Anyone who “knowingly executes, or attempts to execute, a scheme” to defraud a purchaser of securities.


Any CEO or CFO who “recklessly” violates his or her certification of the company’s financial statements.

Fine of up to $1,000,000 and/or up to 10 years imprisonment.

If “willfully” violates. Fine of up to $5 million and/or up to 20 years imprisonment.

Two or more persons who conspire to commit any offense against or to defraud the U.S. or its agencies.


Any person who “corruptly” alters, destroys, conceals, etc., any records or documents with the intent of impairing the integrity of the record or document for use in an official proceeding.


Mail and wire fraud. Increase from 5 to 20 years imprisonment.

Violating applicable Employee Retirement Income Security Act (ERISA) provisions.

Various lengths depending on violation.

* Source: Sarbanes-Oxley Act of 2002 and New York City Office of the Comptroller.

What’s the Price? (Cont’d)What’s the Price? (Cont’d)Company Fine Violation Date

SG Cowen $100,000E-mails deleted before retention period expired.

May-03

Deutsche Bank Securities $1.65 milViolated SEC 17a-4, NYSE 440 and NASD 3110.

Dec-02

Goldman Sachs $1.65 milViolated SEC 17a-4, NYSE 440 and NASD 3110.

Dec-02

Morgan Stanley $1.65 milViolated SEC 17a-4, NYSE 440 and NASD 3110.

Dec-02

Salomon Smith Barney $1.65 milViolated SEC 17a-4, NYSE 440 and NASD 3110.

Dec-02

U.S. Bancorp Piper Jaffray $1.65 milViolated SEC 17a-4, NYSE 440 and NASD 3110.

Dec-02

Source: Connor, Deni. “Confusion reigns over data archiving.” Network World, 06/23/03.

What’s the Price? (Cont’d)What’s the Price? (Cont’d)

CompanyCompany FineFine ReasonReason Date Date (2004)(2004)

Bank of AmericaBank of America $ 10 million$ 10 million Fail to produce Fail to produce e-maile-mail

March 1March 1stst

Citigroup, Merrill Citigroup, Merrill Lynch and Lynch and Morgan StanleyMorgan Stanley

$750,000 (by $750,000 (by NASD)NASD)

Fail to comply Fail to comply with discovery with discovery obligations in obligations in arbitrationsarbitrations

July 19July 19thth

Philip MorrisPhilip Morris $2.75 million$2.75 million E-mail E-mail destructiondestruction

July 21July 21stst

Deutsche BankDeutsche Bank $7.7 million$7.7 million Fail to promptly Fail to promptly produce e-mailsproduce e-mails

August 27August 27thth

Source: Steve Gray, “Compliance and Content Management Solution”, Sun Microsystems Inc. 2004

Why Are These Regulations Why Are These Regulations Important?Important?

World wide businessWorld wide business In order to comply with these regulations, In order to comply with these regulations,

companies in US have to preserve documents companies in US have to preserve documents for auditing or lawsuit cases, so as their for auditing or lawsuit cases, so as their partners.partners.

International competencyInternational competencyAll public companies in US must comply with All public companies in US must comply with

the regulations.the regulations.TSMCTSMC

Why Are E-mail Important?Why Are E-mail Important?

75%75% of the demands for discovery are for email. of the demands for discovery are for email. 21%21% of all employers have employee e-mail of all employers have employee e-mail

subpoenaed by courts & regulators.subpoenaed by courts & regulators. 13%13% of lawsuits are triggered by employee e- of lawsuits are triggered by employee e-

mail.mail. 60%60% or more of business-critical information is or more of business-critical information is

stored within messaging systems stored within messaging systems

Source: 2004 Workplace E-Mail and IM Survey from American Management Association and The ePolicy Institute. Giga Group, Gartner

Regulations IntroductionRegulations Introduction

Regulations IntroductionRegulations Introduction

Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)SEC regulation 17a-3 and 17a-4SEC regulation 17a-3 and 17a-4NASD 3010 & 3110NASD 3010 & 3110Health Insurance Portability and AccountaHealth Insurance Portability and Accounta

bility Act (HIPAA)bility Act (HIPAA)

Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)

OriginOriginsigned into law July 30 2002.signed into law July 30 2002.A direct result of corporate scandals, such as A direct result of corporate scandals, such as

Enron and WorldCom.Enron and WorldCom.GoalGoal

Ensure Ensure accurate accurate reporting of public reporting of public companies’ finances for the benefit of companies’ finances for the benefit of investors, focusing on investors, focusing on integrityintegrity of information of information and process.and process.

Sarbanes-Oxley Act (SOX) (Cont’d)Sarbanes-Oxley Act (SOX) (Cont’d)

ContentContent Introduced legislative changes toIntroduced legislative changes to financial financial and and corporate governcorporate govern

anceance.. Any public companies with more than $75,000,000 in market capAny public companies with more than $75,000,000 in market cap

italization are limited to SOX.italization are limited to SOX. By establishing reliable “By establishing reliable “internal controlsinternal controls” for gathering, processi” for gathering, processi

ng, and reporting financial information.ng, and reporting financial information. According to COSO (Committee of Sponsoring Organizations) (199According to COSO (Committee of Sponsoring Organizations) (199

7), “internal control” is a process, affected by an entity’s board of dir7), “internal control” is a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasectors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.onable assurance regarding the achievement of objectives.

E-mail communicationE-mail communication policy is an integral part of controls to safegu policy is an integral part of controls to safeguard information from unauthorized use, disclosure, modification, daard information from unauthorized use, disclosure, modification, damage, of loss.mage, of loss.

Sarbanes-Oxley Act (SOX) (Cont’d)Sarbanes-Oxley Act (SOX) (Cont’d)

MandateMandate Section 302 (the first enacted section)Section 302 (the first enacted section)

The requirement of CEOs and CFOs to personally certify quarterly The requirement of CEOs and CFOs to personally certify quarterly and annual financial statements and take responsibility for ensuring and annual financial statements and take responsibility for ensuring their their accuracyaccuracy..

Section 404 (also called Management Assessment of Internal Section 404 (also called Management Assessment of Internal Controls)Controls)

The companies shall provide anThe companies shall provide an annual report onannual report on internal controlsinternal controls, , attested to by an external audit firm.attested to by an external audit firm.

Section 802, Regulation S-X, Rule 2-06Section 802, Regulation S-X, Rule 2-06 All All audit and review-related informationaudit and review-related information must be must be retained forretained for 7 7

years.years. The penalty for anyone who knowingly destroys documents or files The penalty for anyone who knowingly destroys documents or files

that may relate to a federal investigation or a bankruptcy filing can that may relate to a federal investigation or a bankruptcy filing can be fined up to $5,000,000 and/or imprisoned for up to 20 years.be fined up to $5,000,000 and/or imprisoned for up to 20 years.

SEC Regulation 17a-3 and 17a-4SEC Regulation 17a-3 and 17a-4

OriginOriginEnacted by the SEC (Securities Exchange Enacted by the SEC (Securities Exchange

Commission) in 1997, to allow brokers in the Commission) in 1997, to allow brokers in the securities industrysecurities industry to store records to store records electronically.electronically.

GoalGoalProtect investors from fraudulent or Protect investors from fraudulent or

misleading claims in the securities industry. misleading claims in the securities industry.

SEC Regulation 17a-3 and 17a-4 SEC Regulation 17a-3 and 17a-4 (Cont’d)(Cont’d)

ContentContent 17a-3: Requirement to 17a-3: Requirement to make the recordsmake the records

Define what types of documents have to be retained and for what Define what types of documents have to be retained and for what period of time.period of time.

17a-4: Requirement to 17a-4: Requirement to keep the recordskeep the records Define record keeping requirements with regard to all types of Define record keeping requirements with regard to all types of

records defined in 17a-3.records defined in 17a-3. Requirements: retention, WORM non-rewriteable storage, and ease Requirements: retention, WORM non-rewriteable storage, and ease

of retrieval.of retrieval. In a whole, the regulations state that firms must enact policies of In a whole, the regulations state that firms must enact policies of

implement technologies to enable:implement technologies to enable: Written and enforceable retention policiesWritten and enforceable retention policies Storage of data on indelible, non-rewriteable mediaStorage of data on indelible, non-rewriteable media Searchable index of all stored dataSearchable index of all stored data Readily retrievable and viewable dataReadily retrievable and viewable data Storage of data offsiteStorage of data offsite

SEC Regulation 17a-3 and 17a-4 SEC Regulation 17a-3 and 17a-4 (Cont’d)(Cont’d)

MandateMandateBusiness recordBusiness record must be kept for at least must be kept for at least 3 3

yearsyears, the first 2 years on an accessible , the first 2 years on an accessible place, including memos, e-mails, and other place, including memos, e-mails, and other correspondence. correspondence.

All information related to All information related to users’ accountusers’ account opening and maintenance must be kept for opening and maintenance must be kept for 6 6 yearsyears..

NASD 3010 & 3110NASD 3010 & 3110 OriginOrigin

Rules set by NASD (National Association of Securities Dealers IRules set by NASD (National Association of Securities Dealers Inc.), and amended in December 1997, February 1998, and Novenc.), and amended in December 1997, February 1998, and November 1998.mber 1998.

Goal Goal Govern the behavior of Govern the behavior of security firmssecurity firms..

ContentContent Rule 3010: Rule 3010: SupervisionSupervision

Each firm must “supervise” their representatives activity, including mEach firm must “supervise” their representatives activity, including monitoring incoming and outgoing e-mail, group e-mail, chat room logonitoring incoming and outgoing e-mail, group e-mail, chat room logs, BBS articles, and webpage information.s, BBS articles, and webpage information.

Rule 3110: Rule 3110: Retention of CorrespondenceRetention of Correspondence Each member shall retain correspondence of registered representatiEach member shall retain correspondence of registered representati

ves relating to its investment banking or securities business .ves relating to its investment banking or securities business . Requirements pertaining to record keeping formats, mediums, and rRequirements pertaining to record keeping formats, mediums, and r

etention periods comply with SEC Rule 17a-4.etention periods comply with SEC Rule 17a-4.

Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA)

OriginOrigin Sets national standards for the Sets national standards for the healthcare industry healthcare industry

since 1996.since 1996. GoalGoal

Addresses the security and privacy of Addresses the security and privacy of electronic electronic medical-related datamedical-related data, with regard to its use, storage, , with regard to its use, storage, and exchange.and exchange.

ContentContent HIPAA Security Rule (enforced on April 21, 2005)HIPAA Security Rule (enforced on April 21, 2005)

More detail than Privacy Rule.More detail than Privacy Rule. ““procedures to guard data procedures to guard data integrityintegrity,, confidentiality confidentiality and and

availabilityavailability” applying to all individual health information in ” applying to all individual health information in electronic form, including diskette, tape, CD, electronic form, including diskette, tape, CD, e-maile-mail, file , file transfer, web or EDI.transfer, web or EDI.

Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA) (Cont’d)Accountability Act (HIPAA) (Cont’d) MandateMandate

Section 1173(d)(2) Section 1173(d)(2) States that reasonable and appropriate administrative, States that reasonable and appropriate administrative,

physical, and technical safeguards must be maintained to physical, and technical safeguards must be maintained to ensure theensure the integrity integrity of this medical-related data.of this medical-related data.

““Data AuthenticationData Authentication” - ensuring that data is not altered, ” - ensuring that data is not altered, destroyed or inappropriately processed.destroyed or inappropriately processed.

Medical recordsMedical records, including contracts with business , including contracts with business associates, documents related to policies and associates, documents related to policies and procedures, must be retained at least procedures, must be retained at least 6 years6 years, and at , and at least least 2 years2 years after the death of a patient. after the death of a patient.

Penalties for noncompliance are fines to $250,000 Penalties for noncompliance are fines to $250,000 and imprisonment up to 10 years. and imprisonment up to 10 years.

Common Concepts and Common Concepts and IssuesIssues

Auditing, Retention, and AvailabilityAuditing, Retention, and Availability

What’s In CommonWhat’s In Common

AuditingAuditingSOX, SEC 17a-4, NASD 3010, HIPAASOX, SEC 17a-4, NASD 3010, HIPAA

RetentionRetentionSOX, SEC 17a-4, NASD 3110, HIPAASOX, SEC 17a-4, NASD 3110, HIPAA

AvailabilityAvailabilitySOX, SEC 17a-4SOX, SEC 17a-4

AuditingAuditing Monitor electronic messages, such as e-mail.Monitor electronic messages, such as e-mail.

50%50% of workplace users send/receive risky content including of workplace users send/receive risky content including attachments, jokes, gossip, confidential info, porn.attachments, jokes, gossip, confidential info, porn.

According to NASD 3010(d)(1), a firm must record all e-mails According to NASD 3010(d)(1), a firm must record all e-mails between its representatives and the public, and establish the between its representatives and the public, and establish the recording procedures in writing. recording procedures in writing.

Supervisor can Supervisor can take a sample (or BCC)take a sample (or BCC) of all e-mail messages, of all e-mail messages, either incoming or outgoing for review, without interrupting the either incoming or outgoing for review, without interrupting the flow of messages.flow of messages.

Audit trailAudit trail Track preserved data and the manner of preserving data. Track preserved data and the manner of preserving data. Timestamp is recorded each time a document is accessed. Timestamp is recorded each time a document is accessed. According to SEC 17a-4, companies must supply an audit According to SEC 17a-4, companies must supply an audit

system that provides a record of creating and editing retention system that provides a record of creating and editing retention rules used to maintain and preserve the message archive, and rules used to maintain and preserve the message archive, and record message events such as write and delete.record message events such as write and delete.

Issues about E-mail AuditingIssues about E-mail Auditing

Email belongs to the organization, not the Email belongs to the organization, not the individual.individual.Email should be stored and managed Email should be stored and managed

systematically, not on users’ desktops.systematically, not on users’ desktops.Employers can access all information on their Employers can access all information on their

network server because they’re considered network server because they’re considered the system administrator, that is “Big Brother”.the system administrator, that is “Big Brother”.

Personal e-mail accounts are unlimited to the Personal e-mail accounts are unlimited to the principle.principle.

Issues about E-mail Auditing Issues about E-mail Auditing (Cont’d)(Cont’d)

LegitimacyLegitimacy source: Philip Gordon, Littler Mendelsonsource: Philip Gordon, Littler Mendelson

Although the federal Wiretap Act (Although the federal Wiretap Act ( 聯邦竊聽法聯邦竊聽法 ) says it's unlawful ) says it's unlawful to intercept electronic communications like e-mail and IM, but thto intercept electronic communications like e-mail and IM, but the courts have ruled that viewing stored e-mail is not considered e courts have ruled that viewing stored e-mail is not considered a violation of the wiretap laws.a violation of the wiretap laws.

It is considered a violation of the Wiretap Act only if an e-mail is It is considered a violation of the Wiretap Act only if an e-mail is iinterceptedntercepted while it is traveling through the network pipe and is b while it is traveling through the network pipe and is between two points. That is, If an e-mail is simultaneously copied etween two points. That is, If an e-mail is simultaneously copied before it reaches its destination, that e-mail is considered "before it reaches its destination, that e-mail is considered "storestoredd" during the copying process. " during the copying process.

Employers need to provide the reason why they have a monitoriEmployers need to provide the reason why they have a monitoring policy and ask the employee for agreement.ng policy and ask the employee for agreement.

RetentionRetentionE-mail messages are defined as E-mail messages are defined as recordsrecords in in

SEC 17a-4, and SOX. SEC 17a-4, and SOX. Retention scheduleRetention schedule

According to SEC 17a-4(f)(2)(II)(A), the records According to SEC 17a-4(f)(2)(II)(A), the records shall be preserved exclusively in a non-shall be preserved exclusively in a non-rewriteable non-erasable format (indelible rewriteable non-erasable format (indelible preservation).preservation). WORM (Write-Once, Read-Many) device.WORM (Write-Once, Read-Many) device. Archiving e-mail and attachment, and prevent from Archiving e-mail and attachment, and prevent from

being altered and destroyed.being altered and destroyed.

65%65% of companies lack e-mail retention policies. of companies lack e-mail retention policies. 94%94% of companies fail to retain & archive IM. of companies fail to retain & archive IM.

Retention (Cont’d)Retention (Cont’d)

Email storage costs Email storage costs (source: Imerge consulting, ZANTAZ®)(source: Imerge consulting, ZANTAZ®)

60%60% or more of business-critical information is stored or more of business-critical information is stored within messaging systems.within messaging systems.

Up to 200 GB e-mail per month for 1,000-user compaUp to 200 GB e-mail per month for 1,000-user company.ny.

Each terabyte of e-mail (or less than 6 months of e-mEach terabyte of e-mail (or less than 6 months of e-mail) costs $100,000 a year to manage (including time ail) costs $100,000 a year to manage (including time and cost to back up e-mail on tapes).and cost to back up e-mail on tapes).

The retention cost is HIGH!!The retention cost is HIGH!!UseUse single-instance storage (SIS) to reduce e-mail volsingle-instance storage (SIS) to reduce e-mail vol

ume.ume.

Issues about E-mail RetentionIssues about E-mail Retention E-mail is considered a record, however it’s not series nor E-mail is considered a record, however it’s not series nor

structured data.structured data. E-mail is composed of headers, message, and attachments.E-mail is composed of headers, message, and attachments.

What should be stored?What should be stored? all messages sent or received all messages sent or received Attachments, either attached to the message or separately and liAttachments, either attached to the message or separately and li

nkednked MetadataMetadata

Date and time sentDate and time sent Sender and addressee(s)Sender and addressee(s) Subject and content of messageSubject and content of message

Appropriate systems for retaining e-mailsAppropriate systems for retaining e-mails Electronic records system is preferred.Electronic records system is preferred. Email archival system is acceptable.Email archival system is acceptable. Document management system is acceptable.Document management system is acceptable. Hard copy is often not good enough.Hard copy is often not good enough.

Issues about E-mail Retention Issues about E-mail Retention (Cont’d)(Cont’d)

Is it really necessary to preserve all data?Is it really necessary to preserve all data? Whether an individual email is a record or non-Whether an individual email is a record or non-

record?record? According to SEC 17a-4, the content of the electronic According to SEC 17a-4, the content of the electronic

communication is determinative, and therefore communication is determinative, and therefore broker/dealers must retain only those email and Internet broker/dealers must retain only those email and Internet communications (including inter-office communications) communications (including inter-office communications) which which relate to the broker/dealer's businessrelate to the broker/dealer's business. .

So to tell the difference between e-mail records and personal So to tell the difference between e-mail records and personal e-mails, whether an e-mail or any information in that e-mails, whether an e-mail or any information in that document relate to an official transaction or decision by the document relate to an official transaction or decision by the company can be a criterion.company can be a criterion.

As mentioned in e-mail auditing, the employers can’t access As mentioned in e-mail auditing, the employers can’t access information from employees’ personal e-mail account. What information from employees’ personal e-mail account. What about business information in private e-mail account?about business information in private e-mail account?

Issues about E-mail Retention Issues about E-mail Retention (Cont’d)(Cont’d)

What metadata must be captured?What metadata must be captured?Basic metadataBasic metadata

Date and time sentDate and time sent Sender and addressee(s)Sender and addressee(s) Subject and content of messageSubject and content of message

PriorityPriorityKeyword classification upon capturingKeyword classification upon capturing

Whether to store attachments with the email rWhether to store attachments with the email record or not?ecord or not?Store the attachments separately but linked.Store the attachments separately but linked.Maintain the entire record as one object.Maintain the entire record as one object.

AvailabilityAvailability As SEC 17a-4(f)(3)(II) states, the company shall be readAs SEC 17a-4(f)(3)(II) states, the company shall be read

y y at all timesat all times to provide, and to provide, and immediatelyimmediately provide, any fa provide, any facsimile enlargement by the request of empowered persocsimile enlargement by the request of empowered personnel regulated in SEC 17a-4 (data accessibility).nnel regulated in SEC 17a-4 (data accessibility).

Email retrieval costsEmail retrieval costs It takes more than 11 hours to recover an email more than 1 yeaIt takes more than 11 hours to recover an email more than 1 yea

r old from an archive.r old from an archive. Typically have to restore the entire tape to a spare server to find Typically have to restore the entire tape to a spare server to find

the desired message(s).the desired message(s). 29%29% of organizations would not be able to restore an e-mail mes of organizations would not be able to restore an e-mail mes

sage over 6 months old.sage over 6 months old.

Issues about E-mail AvailabilityIssues about E-mail Availability Find message need in no timeFind message need in no time

Reduce message volumeReduce message volume Single-instance storageSingle-instance storage Antispam solutions/keyword filteringAntispam solutions/keyword filtering

IndexingIndexing For both original data and duplicated one.For both original data and duplicated one.

Discovery/search engine using indexDiscovery/search engine using index

The requirement to view, print and reproduce meThe requirement to view, print and reproduce messagessage Archiving toolsArchiving tools

Retrieve message from storage and transform it into readablRetrieve message from storage and transform it into readable format.e format.

IT Applications of Common IT Applications of Common IssuesIssues

Auditing, Retention, and AvailabilityAuditing, Retention, and Availability

IT ApplicationsIT Applications AuditingAuditing

Guardian toolsGuardian tools Filter out spam, porn, and inappropriate messages.Filter out spam, porn, and inappropriate messages. Control each outgoing mail to prevent from confidential inforControl each outgoing mail to prevent from confidential infor

mation being disclosed.mation being disclosed. Filter message content and compare it with keywords.Filter message content and compare it with keywords. Capability to recognize file type and decompress zip/rar files Capability to recognize file type and decompress zip/rar files

to examine the attachments of e-mail. to examine the attachments of e-mail. Statistic/analysis reports for auditors and managers.Statistic/analysis reports for auditors and managers.

Audit trailAudit trail Archiving system which generates a full log and audit trail of Archiving system which generates a full log and audit trail of

admin defined that take place within the system and require tadmin defined that take place within the system and require tracking.racking.

Record WHO accesses WHAT record by taking WHAT actioRecord WHO accesses WHAT record by taking WHAT actions at WHEN.ns at WHEN.

IT Applications (Cont’d)IT Applications (Cont’d) Retention and availabilityRetention and availability

WORM deviceWORM device WORM storage guarantees that data cannot be changed in any way WORM storage guarantees that data cannot be changed in any way

once on the medium. In other words, its owner can ensure its inalteronce on the medium. In other words, its owner can ensure its inalterability and non-erasability.ability and non-erasability.

LTO3 (Linear Tape-Open Ultrium 3) and SDLT (Super Digital Linear LTO3 (Linear Tape-Open Ultrium 3) and SDLT (Super Digital Linear Tape) technique .Tape) technique .

Hold up to 400 GB, and 800 GB after 2:1 compression.Hold up to 400 GB, and 800 GB after 2:1 compression. Back-up speed is at least 30MB/S.Back-up speed is at least 30MB/S.

Electronic records system/E-mail archival systemElectronic records system/E-mail archival system A robust, effective archiving system to meet the needs for e-mail maA robust, effective archiving system to meet the needs for e-mail ma

nagement and retention, that is to preserve the records in a non-rewnagement and retention, that is to preserve the records in a non-rewriteable, non-erasable format.riteable, non-erasable format.

Supporting archiving, retention and retrieval management.Supporting archiving, retention and retrieval management. Meet the requirement of “Meet the requirement of “legal discoverylegal discovery” process that all case-relat” process that all case-relat

ed e-mail messages must be made available within a specific timefred e-mail messages must be made available within a specific timeframe.ame.

Regulations ComplianceRegulations Compliance

SOX, SEC 17a-4 ComplianceSOX, SEC 17a-4 ComplianceArchiving Software FeaturesArchiving Software Features

SOX ComplianceSOX ComplianceSOX SectionSOX Section ImplementationsImplementations

Section 103 (a)Section 103 (a)

Require public accounting firms to maintain audit Require public accounting firms to maintain audit work papers for at least 7 years.work papers for at least 7 years.

A trusted audit repository to securely manage A trusted audit repository to securely manage records (records (including audit work papers and including audit work papers and electronic records related to any audit reportelectronic records related to any audit report) for ) for 7 years as mandated via retention policies. After, 7 years as mandated via retention policies. After, records can be automatically purged from the records can be automatically purged from the system. system.

Section 104 (d)Section 104 (d)

Require the Board to evaluate the sufficiency of Require the Board to evaluate the sufficiency of public accounting firm quality control systems, public accounting firm quality control systems, document management and record retention document management and record retention processes.processes.

Accurate, trusted documentation of the Accurate, trusted documentation of the procedures used for audit and review procedures used for audit and review engagements of public corporations. Board engagements of public corporations. Board evaluations should be result in fast records evaluations should be result in fast records retrieval with records traceability.retrieval with records traceability.

Section 105 (b)Section 105 (b)

Require documents prepared for the Board in Require documents prepared for the Board in connection with investigations to be kept connection with investigations to be kept confidential, and maintained with high integrity confidential, and maintained with high integrity (e.g. as evidentiary matter).(e.g. as evidentiary matter).

Ensure that all documents prepared for the Board Ensure that all documents prepared for the Board and its employees and agents are managed in a and its employees and agents are managed in a secure repository that provides access control, secure repository that provides access control, audit trail, check-in/check-out, versioning and audit trail, check-in/check-out, versioning and electronic signatures to ensure that documents electronic signatures to ensure that documents are maintained with the highest integrity possible. are maintained with the highest integrity possible. Also perform hash check-sums on all documents Also perform hash check-sums on all documents to provide traceability and positive proof that to provide traceability and positive proof that records have not been tampered with.records have not been tampered with.

Source: Scientific Software, “A Closer Look at the Requirements”

SOX Compliance (Cont’d)SOX Compliance (Cont’d)SOX SectionSOX Section ImplementationsImplementations

Section 204 (k)Section 204 (k)

Require public accounting firms to Require public accounting firms to provide provide timely reportstimely reports to audit committees including to audit committees including accounting policies and practices, and written accounting policies and practices, and written communications between the firm and issuer’s communications between the firm and issuer’s management.management.

A secure archive of all audit reports to the audit A secure archive of all audit reports to the audit committee, including e-mails, and all written committee, including e-mails, and all written communications. communications. E-mails and attachments can be E-mails and attachments can be easily archived in the repository systemeasily archived in the repository system, fully , fully indexed, and made searchable from user’s indexed, and made searchable from user’s desktops.desktops.

Section 306 (b)Section 306 (b)

Require stock option plan administrators to Require stock option plan administrators to send 30-day advance notices of blackout send 30-day advance notices of blackout periods to participants and beneficiaries.periods to participants and beneficiaries.

Manage e-mail notifications for these blackout Manage e-mail notifications for these blackout periods to account plan participants and periods to account plan participants and beneficiaries and applying records retention policies beneficiaries and applying records retention policies and audit trails to them. These e-mails are corporate and audit trails to them. These e-mails are corporate records and need to be managed as such.records and need to be managed as such.


Require electronic filings of financial statements Require electronic filings of financial statements to the SEC.to the SEC.

Manage, archive and apply records retention policies Manage, archive and apply records retention policies to electronic filings for officers, directors, and to electronic filings for officers, directors, and principal stockholders in a secure repository, and principal stockholders in a secure repository, and make these electronic filing available on a corporate make these electronic filing available on a corporate website. website.




Prohibits the conscious destruction, alteration, or Prohibits the conscious destruction, alteration, or falsificationfalsification of records involved in Federal of records involved in Federal investigations and bankruptcy.investigations and bankruptcy.

Establish a secure repository, complete with supporEstablish a secure repository, complete with support for recovery and disaster preparedness, to securelt for recovery and disaster preparedness, to securely manage ALL electronic corporate records. This sey manage ALL electronic corporate records. This secure repository resources that records are secure, cure repository resources that records are secure, authentic, reliable, and that all changes made to theauthentic, reliable, and that all changes made to them are m are fully audited and traceablefully audited and traceable. The system must . The system must also ensure that these records are not destroyed, malso ensure that these records are not destroyed, mutilated, or falsified. Via integration with archival deutilated, or falsified. Via integration with archival devices (i.e. hierarchical storage deices) such as SAN,vices (i.e. hierarchical storage deices) such as SAN, NAS, EMC Centera, and IBM Tivoli, records can b NAS, EMC Centera, and IBM Tivoli, records can be backed-up as required, and entire systems can be backed-up as required, and entire systems can be made available in as “hot backups” in the event of e made available in as “hot backups” in the event of a disaster (such as fire, flood, earthquake, etc.).a disaster (such as fire, flood, earthquake, etc.).


Requite CEO and CFO to certify financial reports Requite CEO and CFO to certify financial reports fairly represent financial condition of the fairly represent financial condition of the company or face imprisonment (up to 10 years) company or face imprisonment (up to 10 years) or fines ($ 1million).or fines ($ 1million).

Ensure that corporate officers certify periodic Ensure that corporate officers certify periodic financial reports with fully-traceable, automated financial reports with fully-traceable, automated workflows and by ensuring that the reports and workflows and by ensuring that the reports and associated certifying statements are managed in a associated certifying statements are managed in a secure manner with access control, electronic secure manner with access control, electronic signatures, versioning and audit trails. Any e-mails signatures, versioning and audit trails. Any e-mails or associated electronic or paper records can also or associated electronic or paper records can also be managed and included as part of the automated be managed and included as part of the automated signoff/certification workflows.signoff/certification workflows.



Section 1102Section 1102

Prohibit tampering with (e.g. altering, destroying, Prohibit tampering with (e.g. altering, destroying, concealing, mutilating) records or impeding official concealing, mutilating) records or impeding official proceedings.proceedings.

Ensure that corporate financial records and Ensure that corporate financial records and documents are managed in secure repository, documents are managed in secure repository, preventing any corruption, destruction, mutilation preventing any corruption, destruction, mutilation or intent to compromise their integrity. Also a or intent to compromise their integrity. Also a “litigation hold” retention policy“litigation hold” retention policy should should automatically be applied to any electronic automatically be applied to any electronic records involved in said court proceedings, records involved in said court proceedings, effectively freezing all electronic records until the effectively freezing all electronic records until the court proceedings are completed.court proceedings are completed.


SEC 17a-4 ComplianceSEC 17a-4 ComplianceConceptConcept SEC SectionsSEC Sections ImplementationsImplementations

Indelible PreservationIndelible Preservation 240.17a-4(f)(2)II)(A)240.17a-4(f)(2)II)(A)

Preserve the records exclusively in a Preserve the records exclusively in a non-non-rewriteable, non-erasable format.rewriteable, non-erasable format.

Archive e-mail and attachments to a Archive e-mail and attachments to a WORM device-MO Jukebox, CD-R, WORM device-MO Jukebox, CD-R, DVD-R LibraryDVD-R Library, or other SEC , or other SEC approved storage device type.approved storage device type.

Automated IntegrityAutomated Integrity 240.17a-4(f)(2)(III)(B)240.17a-4(f)(2)(III)(B)

Verify automatically the quality and accuracy of Verify automatically the quality and accuracy of the storage media recording process.the storage media recording process.

Perform hash and/or checksums on Perform hash and/or checksums on the data as it is written to media and the data as it is written to media and compares this against the data compares this against the data being brought in from the mail being brought in from the mail server.server.

Serial PreservationSerial Preservation 240.17a-4(f)(2)(III)(C)240.17a-4(f)(2)(III)(C)

Serialize the original and, if applicable, duplicate Serialize the original and, if applicable, duplicate units of storage media, and time-date for the units of storage media, and time-date for the required period of retention.required period of retention.

Serialize all storage units and Serialize all storage units and media, sequentially ordering all media, sequentially ordering all messages. Timestamps on each messages. Timestamps on each media unit provide date and time to media unit provide date and time to ensure proper ordering and storage.ensure proper ordering and storage.

Index PreservationIndex Preservation 240.17a-4(f)(2)(III)(D)240.17a-4(f)(2)(III)(D)

Have the capacity to readily download indexes Have the capacity to readily download indexes and records preserved on the electronic storage and records preserved on the electronic storage media to any medium acceptable under this media to any medium acceptable under this paragraph( f) as required by the Commission or paragraph( f) as required by the Commission or the self-regulatory organization of which the the self-regulatory organization of which the member, broker, or dealer is a member.member, broker, or dealer is a member.

Maintain index on all media Maintain index on all media automatically to ensure ready automatically to ensure ready availability of data index.availability of data index.

Source: ZipLip-SEC Rules Matrix

SEC 17a-4 Compliance (Cont’d)SEC 17a-4 Compliance (Cont’d)ConceptConcept SEC SectionsSEC Sections ImplementationsImplementations

Data AccessibilityData Accessibility 240.17a-4(f)(3)(I)240.17a-4(f)(3)(I)

At all times have available, for examination by the At all times have available, for examination by the staffs of the commission and self-regulatory staffs of the commission and self-regulatory organizations of which it is a member, facilities for organizations of which it is a member, facilities for immediate, easily readableimmediate, easily readable projection or production projection or production of micrographic media or electronic storage media of micrographic media or electronic storage media images and for producing easily readable images.images and for producing easily readable images.

Ensure that archived messages are Ensure that archived messages are readily accessible via any standard readily accessible via any standard mail client or web browser for mail client or web browser for viewing, printing, or reproductionviewing, printing, or reproduction. . Mails and files can be searched for Mails and files can be searched for through through search/discovery enginessearch/discovery engines. . Admins and Auditors can access Admins and Auditors can access the corporate side mail archive.the corporate side mail archive.

Data AccessibilityData Accessibility 240.17a-4(f)(3)(II)240.17a-4(f)(3)(II)

Be ready at all times to provide, and immediately Be ready at all times to provide, and immediately provide, any facsimile enlargement which the staffs provide, any facsimile enlargement which the staffs of the Commission, any self-regulatory organization of the Commission, any self-regulatory organization of which it is a member, or any State securities of which it is a member, or any State securities regulator having jurisdiction over the member, regulator having jurisdiction over the member, broker or dealer may request.broker or dealer may request.

Ensure access to any e-mail Ensure access to any e-mail immediately. Securities regulators immediately. Securities regulators can readily access any message can readily access any message corporate wide using a variety of corporate wide using a variety of criteria or search parameters. Also criteria or search parameters. Also enable auditors to tag, track, and enable auditors to tag, track, and annotate messages for review annotate messages for review across multiple officers.across multiple officers.

Redundant Redundant PreservationPreservation

240.17a-4(f)(3)(III)240.17a-4(f)(3)(III)

Store separately from the original, a duplicate copy Store separately from the original, a duplicate copy of the record stored on any medium acceptable of the record stored on any medium acceptable under Rule 17a-4 for the time required.under Rule 17a-4 for the time required.

Duplication of media units for Duplication of media units for duplication and offsite storage duplication and offsite storage requirements.requirements.



Comprehensive Comprehensive IndexingIndexing

240.17a-4(f)(3)(IV)240.17a-4(f)(3)(IV)

Organize and Organize and index accuratelyindex accurately all information all information maintained on both original and any duplicate maintained on both original and any duplicate storage media.storage media.

Generate indices on original Generate indices on original storage media and use these same storage media and use these same data to generate duplicate media. data to generate duplicate media. All indices and message data are All indices and message data are faithfully duplicatedfaithfully duplicated on redundant on redundant media.media.

Index AccessibilityIndex Accessibility 240.17a-4(f)(3)(IV)(A)240.17a-4(f)(3)(IV)(A)

At all times, a member, broker, or dealer must At all times, a member, broker, or dealer must be able to have such indexes available for be able to have such indexes available for examination by the staffs of the Commission examination by the staffs of the Commission and the self-regulatory organizations of which and the self-regulatory organizations of which the broker or dealer is a member.the broker or dealer is a member.

Provide ready access of message Provide ready access of message indices to compliance officers and indices to compliance officers and auditors, enabling fast, efficient auditors, enabling fast, efficient searches for mail data within the searches for mail data within the organization.organization.

Index RedundancyIndex Redundancy 240.17a-4(f)(3)(IV)(B)240.17a-4(f)(3)(IV)(B)

Each index must be duplicated and the Each index must be duplicated and the duplicate copies must be stored separately duplicate copies must be stored separately from the original copy of the index.from the original copy of the index.

Provide tools necessary for entitles Provide tools necessary for entitles to generate duplicate indices and to generate duplicate indices and mail data for storage away from mail data for storage away from original index and data.original index and data.

Index PreservationIndex Preservation 240.17a-4(f)(3)(IV)(C)240.17a-4(f)(3)(IV)(C)

Original and duplicate indexes must be Original and duplicate indexes must be preserved for the time required for the indexed preserved for the time required for the indexed records.records.

Apply retention times and dates to Apply retention times and dates to original and duplicated indices and original and duplicated indices and message data.message data.



Audit RecordAudit Record 240.17a-4(f)(3)(V)240.17a-4(f)(3)(V)

The member, broker, or dealer, must have in place an The member, broker, or dealer, must have in place an audit system providing for accountability regarding audit system providing for accountability regarding inputting of records required to be maintained and inputting of records required to be maintained and preserved pursuant to Rules 17a-3 and 17a-4 to preserved pursuant to Rules 17a-3 and 17a-4 to electronic stage media and inputting of any changes electronic stage media and inputting of any changes made to every original and duplicated record made to every original and duplicated record maintained and preserved thereby.maintained and preserved thereby.

Track and account forTrack and account for all preserved all preserved data and manner by which mail data data and manner by which mail data is stored within electronic media. Alis stored within electronic media. Also generate a full log and so generate a full log and audit trailaudit trail of admin defined that take place witof admin defined that take place within the system and require tracking.hin the system and require tracking.

Audit Record Audit Record AccessibilityAccessibility

240.17a-4(f)(3)(V)(A)240.17a-4(f)(3)(V)(A)

At all times, a member, broker, or dealer must be able At all times, a member, broker, or dealer must be able to have the results of such audit system available for to have the results of such audit system available for examination by the staffs of the Commission and the examination by the staffs of the Commission and the self-regulatory organizations of which the broker or self-regulatory organizations of which the broker or dealer is a member.dealer is a member.

Reporting tools enabling Reporting tools enabling administrators to present log and administrators to present log and audit information for examiners and audit information for examiners and auditors.auditors.

Audit Record Audit Record PreservationPreservation

240.17a-4(f)(3)(V)(B)240.17a-4(f)(3)(V)(B)

The audit results must be preserved for the time The audit results must be preserved for the time required for the audited records.required for the audited records.

Store and retain audit results within Store and retain audit results within the main audit store for the length of the main audit store for the length of the audit record.the audit record.

Ready Ready AccessibilityAccessibility

240.17a-4(f)(3)(VI)240.17a-4(f)(3)(VI)

The member, broker, or dealer must maintain, keep The member, broker, or dealer must maintain, keep current, and provide promptly upon request by the staffs current, and provide promptly upon request by the staffs of the Commission or the self-regulatory of which the of the Commission or the self-regulatory of which the member, broker-dealer is a member all information member, broker-dealer is a member all information necessary to access records and indexes stored on the necessary to access records and indexes stored on the electronic storage media.electronic storage media.

Multiple, simplified views into the Multiple, simplified views into the mail arching, which enables mail arching, which enables authorized personnel to access , authorized personnel to access , search, and identify compliance search, and identify compliance data from any web browser.data from any web browser.


E-mail Archiving SoftwareE-mail Archiving Software

Source: Penny Lunt, “Are You Too Casual About E-mail?”, 2004

E-mail Archiving Software (Cont’d)E-mail Archiving Software (Cont’d)

What to look for in e-mail retention softwareWhat to look for in e-mail retention software Records management or integrationRecords management or integration Automated destruction schedulesAutomated destruction schedules Flexible rules engineFlexible rules engine Efficient retrievalEfficient retrieval Outgoing messages monitoringOutgoing messages monitoring Storage capability for handling large volumesStorage capability for handling large volumes Comprehensiveness, that is the capability to capture and archive Comprehensiveness, that is the capability to capture and archive

all kinds of messagesall kinds of messages Internet accessInternet access Audit trailAudit trail Search featuresSearch features Management, or tools for sampling and managing the Management, or tools for sampling and managing the

compliance processcompliance process

Source: Penny Lunt, “Are You Too Casual About E-mail?”, 2004

ConclusionConclusion

Conclusion Conclusion AuditingAuditing

Guardian toolsGuardian tools Only Only 60%60% of U.S. companies now use software to monitor inc of U.S. companies now use software to monitor inc

oming and outgoing external e-mail, and only oming and outgoing external e-mail, and only 27%27% track inter track internal e-mail between employees according to the ePolicy-AMA nal e-mail between employees according to the ePolicy-AMA survey in 2004.survey in 2004.

Audit trail Audit trail Done by recording information of access to all preserved datDone by recording information of access to all preserved dat

a.a. Retention & availabilityRetention & availability

Done by record archiving system with security assuraDone by record archiving system with security assurance and regulations compliance function.nce and regulations compliance function.

Conclusion (Cont’d)Conclusion (Cont’d)

Current IT is capable for complying with enacted Current IT is capable for complying with enacted regulations.regulations.

The question is how to choose appropriate tools.The question is how to choose appropriate tools. Set up a good e-mail auditing and management Set up a good e-mail auditing and management

policy is key to success.policy is key to success. Employee education is also important.Employee education is also important.

46%46% of companies offer employees NO e-mail policy of companies offer employees NO e-mail policy training.training.

Retention of voice, video and other unstructured Retention of voice, video and other unstructured data may be required in the future.data may be required in the future.

ReferenceReference “ZipLip: SEC Rules Overview” “ZipLip-SEC Rules Matrix” “ZipLip-NASD 3010 Rules” “Email Management in the Workplace-a Simple Guide For Employers”, Waterford Tec

hnologies. November 2003. ,“A Guide to the Sarbanes-Oxley Act and Email Security”, Voltage Security, Inc. and

CipherTrust. November 2004. Jesse Wilkins, “Email: the Case for Active Management”, Imerge Consulting. Sempte

mber 2004. Steve Gray, “Compliance and Content Management Solution”, Sun Microsystems Inc.

2004. “Data Integrity and Data Retention Regulations”, Advanced Intelligent Tape. “Email Archiving, Retrieval and Analysis for the Risk Manager”, aftermail. 2004. Penny Lunt, “Are You Too Casual About E-mail?”, Feb. 2004. “Digital Archiving Strategies for Regulatory Compliance in Financial Service”, Archiva

s, Inc. “Email Archiving – Analyzing the Return on Investment”, ZANTAZ®. Jon Busby, “Sarbanes-Oxley: Compliance with Corporate Governance and Industry L

egislation with Protocom SeureLogin®”, Protocom Development Systems. 2005.

Reference (Cont’d)Reference (Cont’d) “Sarbanes-Oxley Solutions”, IBM Global Services. http://www.ibm.com/services/sox (EN); http://w

ww-8.ibm.com/services/bcs/tw/sox.html (CH) Dawn Kawamoto, “Mind those IMs--your cubicle's walls have eyes”, CNET News.com . October 2

004. http://news.zdnet.com/2100-1040_22-5423220.html Dawn Kawamoto 撰．唐慧文譯，辦公室長眼傳簡訊全都露。 2004/11/03 。 http://taiwan.cnet.co

m/enterprise/technology/0,2000062852,20093794,00.htm Data Protection Services, LLC. http://www.dataprotection.com/regulatory-compliance/ “Non-Compliant Impact“, Security Forensics, Inc. 2004. http://

www.securityforensics.com/knowledgebase.htm 潘景華，”美國證券市場稽核制度之探討 ( 上 )” 。 http://w3.tse.com.tw/plan/essay/474/Pan.htm 張智鴻，“ 184- 專題報導－ LTO-3“ ， iThome 採購情報。 2005-04-04 。

http://shoppingguide.ithome.com.tw/special/special2005-04-04-001.html Ron Anderson, “Message Archiving is a Must”, Compliance Pipeline. 2005.

http://www.compliancepipeline.com/showArticle.jhtml?articleId=162800283&pgno=5 “A Closer Look at the Requirements”, Scientific Software.

http://www.scisw.com/solutions_new/sox/index2.htm ZIPLip, Inc. http://www.ziplip.com/solutions/compliance.html Tony Redmond, “Does Single-Instance Storage matter Anymore?”, Windows IT Pro. September

2001. http://www.windowsitpro.com/Article/ArticleID/21564/21564.html?Ad=1, http://www.windowsitpro.com/Windows/Articles/ArticleID/21564/pg/2/2.html

Thanks for your listeningThanks for your listening

Retention Schedule: Retention Schedule: Financial/SecuritiesFinancial/Securities

Retention Schedule: CorporateRetention Schedule: Corporate

Retention Schedule: Utilities, Manuf., HealthcareRetention Schedule: Utilities, Manuf., Healthcare

The Wave of Regulations --E-mail Management Presented by Lillian.

Documents

regulations introduction

regulations important

wave of regulations

lillian slide

gartner slide

accountability act hipaa

employee email

tsmc tsmc slide