Discuss about the Regulatory Compliance for Government Agencies.
Nowadays, emails are quite critical for the company, hence it is utmost important for the company and its stakeholder to learn and understand how the emails can expose them and make them vulnerable and thus find out solutions for the same. If the company fails to take any concrete actions, the company will have to face the risks of loss in production, loss of data and other stringent damages. This research study is conducted to study the threats and impacts caused by the email communication, and how to mitigate these threats by adopting strategies, processes, capabilities and technologies best in the industry. Emails have become highly essential and critical for business for the company, but organizations cannot be left exposed. Emails are the backbone and the main correspondence link for success, but companies are ignorant about the severe damage and threat arises from their usage on daily basis, hence they have not taken any stern steps to mitigate the threats. But, now organizations just cannot wait and watch and let others hold the reins of their business. They must seriously address the issues.
Emails pose threat to both the sides namely inbound and outbound side, hence the need of the hours it to make a strategy that can address both sides. Companies that are addressing the email threat issues and taking concrete actions can see the fruits of enhanced productivity, reduced costs and increased revenues.
The unwanted emails and the email threats are ever increasing in the present environment. In such times, inefficient email management can turn the software in to zombies. Tools like email archiving, email encryption, email filtering, email threat analysis must be used to prevent the company from loosing data.
It is recommended that the company needs to install and establish security strategies of emails that can protect the inbound and outbound vulnerabilities on daily basis. The company should monitor, assess and address the email vulnerabilities. An effective email archiving system will eliminate the risks of the litigation as the company requires to produce the email documents for the civil suits. Implementation of the email archiving will allow quick retainment of the data which is stored in the system, meeting the legal needs. Without an effective email archiving in proper place, it is impossible to produce the requested emails as per the regulations of the government, which needs e-documents to be easily accessed and produced quickly. As per the government laws company needs to retain the essential documents for a minimum time period of 5 years and so email archiving has turned out to be an essential as per current demand.
Government Regulations and Best Established Practices
- Security Exchange Act: The act dictates that the records need to be kept for any security exchanges. The records which certainly covers the emails have to be kept for a minimum of 6 years and the security exchange commission has the right to impose the fines if the records cannot be produced on time.
- The Commodity Futures Trading Commission: This is an independent agency that mainly ensures that all the merchants of the future commission keep the complete records of the transactions. Companies are required to keep the records for at least 5 years and they should be able to produce them on the request within the time frame
- Sarbanes Oxley Act: This law was adopted by the Australian government in 2004. The act has been designed to protect the investors, shareholders and the public from the errors of accounting and fraud practices in the company(Bradbury, 2015). Such act means that the accountants should keep all the audit data and review papers for a minimum of 5 years after audit conduction. Email archiving would be considered as a critical; part of the record keeping from the audits and review. So it is important to bear the rule in mind(Authority3, 2013).
- Archives Act 1983: Emails which company create and receive are to be managed as per Archive act 1983. As per the act in case the below questions are answered in yes then the company has to save the email as per regulations(NAA, 2017):
- Did company receive or send this email within the course of time?
- Does it relate to the current project?
- Does the email offer approval for any action?
- Does the email offer any advice, record or direction?
The email which probably does not need to be saved are:
- Messages received only for information
- Trivial information
- Copies of the information’s
- Copies of the documents
- General notices sent to staff members
- Personal and social messages
One can routinely delete the emails which are having little or no values of the businesses as long as they are allowed by the normal administrative practices. NAP is mainly a provision of the Archives act which allows lower value information to be deleted on regular basis as part of the business practices. The agency is required to follow a policy on how it should be implemented(Gwava, 2017).
As per the Australian Government digital transition policies, one needs to manage the digital information, including the emails, in digital formats. This means that one should print and store the emails in the paper files. one should store the emails in the system which can be managed effectively for as long as it is required(Gwava, 2014).
- Defining Policies Early: Establishing the retention and deletion policies at the starting will keep the storages from growing to insurmountable levels. A policy which states the motives for the standards and how the end users needs to follow the policy is quite satisfactory in the courts offered employees can easily prove to the company abides by them
- Enforcing the Policies: Once the policy has been written, it should be enforced with the automated solutions so as to eliminate the factor of human
- Eliminating the PSTs: The PST files are mainly developed by the end users for storing the emails and keeping them accessible. However, such files are not the main storage locations for the end users. they expose the company towards legal risks and makes it difficult for the employees to locate the emails when needed. With the email archiving. The archive becomes the central data repository wherein the user can access the emails in an easy way.
- Backing Up the Tapes are not archives: backing up the tapes need not be utilized as the central repository for the emails. They mainly capture the information only the viewpoint of the backups that will not include the items which the end users deleted(Mangus, 2016)
- Stubbing: This offers immediate storage reductions of the email servers, often mainly up to 80 percent- mainly reducing the need for the mailbox and improving the performance of the email servers by just lowering the capacities with the impact of minimum end user for the company (Vouga, 2014).
An overview of the project impact on the present security of Aztec
Aztec is currently processing all customer and employee inquiries manually. There is a need for innovating and upgrading the current database management system for the purpose of assisting the members of the staff in their day to day working and also allowing them to effectively and efficiently responding to the inquiries. By creating email archive across the length and breadth of the organization for compliance purposes will definitely help to do such tasks. The idea is to implement and create email archive across the organization for compliance purposes which will assist the members of the staff to make the work easy and going hassle free. Information technology offers varied sources of significant investment.
For the purpose of making sure that the scarce resources are being used in the best possible manner and the benefits are being realized, an approach of the cases of the business is very important for the purpose of managing the priorities of the database management systems and this research will be carried out and understood in this study. Undoubtedly, investments made in the technology segment are extremely complex. One of the major issues in respect of the jurisdiction of the implementation of creating a corporate-wide email archive is that it cannot be applied in all departments unanimously as it is not considered to be very effective. But, in the current scenario the company considers the new systems of the database as the only magic wand for the prevailing issues of the company. However, it must be noted that creating email archive corporation-wide for compliance purposes will prove to be very dear and expensive. This is because quite often the implementation process is delayed either due to lack of human and other resources or some other unexpected issues. Nonetheless, irrespective of all the issues, implementation of email archive across the corporation is a safe option which the companies can adopt to mitigate the email threats.
Email archive across the corporate for compliance purposes can be applied in all departments which will serve as a domain of the information technology. Simply speaking, if the company adopts this innovative and latest database management system, the company will link up with only useful information that will facilitate in the development of the company. At present this innovative feature is missing in the company because of which there is lack of transparency in the organization.
This kind of unique updation and innovation in the database has been thought about to be implemented in the company as at present the company is going through various types of issues like inferior method of the data management and email management. The growing dissatisfaction of customers and every increasing complaints and lack of proper documentation are other issues that need to be addressed. The new system of creating email archive across the corporate for compliance purposes will develop new databases and resources that will provide easy accessibility and could be shared efficiently by all stakeholders of the company. For the purpose of developing a new innovative and latest database management system, the senior management and the executives of the company must be satisfied and be ready to undertake all the risks that will be associated in the transition process. It is just anticipation that the management will be convinced with all the pros and benefits of implementing the new system.
Common issues that have forced the company to consider innovation include an innate desire to grow business, the need to reduce costing, obsolete systems and the inefficient business processes.(Digital Preservation, 2013) (IMR, 2014).
In the light of the current organization’s activities, the organization is in need to invest in the technology which enables them to securely store, manage and retrieve the data of the business. Crucially, they are not in need to utilize the technology to fulfill the regulatory and fiduciary obligations in the way they mainly manage the business and the data of the customer, they need to be able to prove that they are mainly doing so(Mail Store, 2013). The can achieve such thins by implementing the email and the file archiving solution. As the regulatory needs for data retention grow, the risks and the costs related with the nonexistent and inadequate email achieving are also increasing(Fusemail, 2015). Enhanced liabilities come in the form of the fines, litigation, and the reputational damages. This effective archiving is the main key. Standard email archiving will mainly capture and copy the emails, attachments, and data to a separate archiving server where it is mainly indexed. Such kind of indexing and storing makes the content easily reachable and accessible. Security is the main priority for the company and processes like the legal holds and data exports need to be possible in the effective and legal way(Posey, 2013).
Archiving solution will make it easy to search through the stored email's data to offer such content. It also offers a way of proving the messages dusty and received(Spurzem, 2008). It is immutable records of the email data, even if the message has been deleted form the mail box The organization needs to take steps to protect the data throughout the lifecycle from the view of creation to sending and sharing(Intradyn, 2012). A holistic approach towards information security offers the greater security and education value than the individual fixes for certain aspects of the creation of the data and the process of sharing. varied solutions can be utilized for the varied aspects of the data security. Thus, the archive needs to mainly integrate into the rest of the information security established setup. real-time can comprise of, but not limited to, classification, encryption of the email and any tailored infrastructure which is implemented for the data security purposes(GFI, 2015).
Indexing and storage of the data for the later retrieval is a missed opportunity as company does not leverage the data, making the data work for them Intelligent forensics and analytics can mainly allow the business to determine the additional values in the data which are storing for the purpose of compliance(GFI, 2012). Higher qualities e-discovery reporting can mainly demonstrate the trends in the flow of email, revealing the habits of the user and the effectiveness of the information security policies (1and1, 2016).
Threats, Vulnerabilities, Consequences, and recommendations
Email compliance is a herculean job as it requires email archiving in a secured way. The company also has to ensure that the email is not abused before being archived as instances of noncompliance might occur because of the staff abuse of the company email. For ensuring the company will need to have higher quality email archive which is fully compliant. The first thing the company needs is to take care of the staff and address all the threats that are posed to the compliance and assets. This cannot be denied that there are multiple threats within the company. Data of communication which is regularly sent and received through the email comprises of details of the customer. intellectual property, information of accounts and much more. There are two main kinds of insider threats to data(Tolson, 2016):
- An evil-intentioned Insider: This is a person that mainly acts with vengefully intent. This person may have access of all the sensitive and valuable information and data, for instance, the administrator of sales or any other executive or an IT member can have this privilege and he can easily access it and misuse it.(Jatheon, 2017)
- Non Malicious Insider: These are persons who unintentionally violate the protection of data and policy of compliance. Clearly, such kind of insiders mainly outnumbers the group as there are many who violate security policies without any malicious intentions. For instance, they might email the confidential documents to the personal address for doing work from home. In such cases, the sensitive data of the company is at high risk(Reid, Fraser-King, & David, 2007).
Unwanted and irrelevant stuff come in volumes and this poses great threat. The statistical data by experts state that 90% of the emails are spam mails. The spam emails infect the recipient’s computer with viruses like spyware, malware, Trojan etc and destroy or corrupt the software of the person or they help in acquiring the sensitive data
Spam can also lead towards the software being installed on the machine of the sure which turns that machine into the zombie(Ipexpo Europe, 2015).
Physical Attacks: The email purporting from the trusted source, developed a garner credential from the prey- which has gone from the blatant towards subtle.
Bad Stuff Going Out: although, many organizations are adopting methods and software that will stop unwanted, junk or spam emails. But still there is less focus on the dangers and vulnerabilities that are presented while sending the emails. Devices can get infected from multiple sources besides emails from example from malicious sites or from infected files which arrive through unsecured sites. The infected mail or the device can infect all data in the system and corrupt the total system bringing the prospects of the business to a standstill.(GRC, 2015).
- The Security Risks: The problem with the email archive is that they have been designed and deployed utilizing the old hardware and software, for instance, Microsoft windows server 2003 and the windows SQL server. Both the products are the mainstay of the email archiving solutions. At present there are legacy email archives which are running on the end of the life products and these shows a critical risk of security towards the organization. many of the risks of security stem from the fact which fixes the known vulnerabilities in the aging and soon to be the end of life products were mainly introduced. There are many reasons behind this, but many times the bottom line guidance from the Microsoft was mainly to migrate away from the platforms.
- The legal Risk: Frivolous suits of law are the common issues to all the companies. In particular, the lawsuits from the ex-employees of the company. The main source of evidence for such suits is the email. Email archive can potentially contain years of email. The main point is that the email archive will accumulate the vast amount of email. It is quite prudent to keep a close eye on the retention of the emails and dispose of the email which does not need to be retained. Email which is kept past the useful life holds the legal risks towards the organization
- The Support Risk: It is the fact of the business that the companies are acquired and even sold. For it is no such surprise that the majority of the email archive products have multiple owners(Chan, Grzymala-Busse, & Ziarko, 2008).
The greatest advantage of email archiving is that it not only ensures compliances within the company but simultaneously encourages compliance within the employees’ ranks. An email archive is the catch of all. the tamper proofs solution that stores the single email which goes in and out of the company. Employers can utilize the secure archive for monitoring all the activities of email and determine the patterns of malicious. Both types of employee threats can be successfully neutralized if the employees know that the communications are mainly monitored.
Some of the easy steps to be followed by the company for effective implementation are:
- Easy to Enforce policies of Retention: The policy engine should allow to create, maintain and enforce the corporate retention policy for the email. The basic policy template should be offered to get the user started- from there, the user can easily customize the solutions for enforcing the granular policies. All administration needs to perform from an easy to use, browser-based interfaces, allowing the user compliance or legal staff towards managing the processes without the help of information technology
- Enforcement of the policies needs to be automatic- a single click from the user interface is all which is needed for making the policy archive. Each policy change needs to be tracked in an unbelievable trail of the audit, ensuring the accurate records of the change in policy.
- Advanced Searched for the discovery: The email archiving will offer advanced search features which meet the most stringent discovery and the review needs. Using web-based interfaces, the legal and IT team can mainly conduct some full-text searches across the header of the message, body messages, and content of 250 types of attachments. The results of the searches can be saved in the folders wherein the duplicate messages are removed easily.
- Supervisions for the Compliance: The email archiving makes it very easy to even meet the stringent compliance's demand by archiving the email as per, for instance, SEC complaint stronger policy for email. Every access towards searching the real-time email retrievals makes the audit of the compliance process painless. The features of the supervision review allow staff to review the email sent by the employees. Messages which are selected for the review are placed in the queue for the review by the users who are authorize(Symantec, 2015).
- Insights with the help of easy to access reports: The services of email archive will offer numerous reports to help sure properly assess the patterns of email and the behaviors. The users which are authorized can easily get the immediate access towards the detailed reports which include: Storage growths and email usages over the time(UCSF, 2017)
- Tighter Integration with the exchange: The email archiving will offer tight integration with the existing infrastructure of messages. Taking such advantage of the journaling of the Microsoft exchange, the appliance logs in the exchanges and retrieves the copies of the email at configurable intervals before the learning of the messages from the mail boxes(Aberdeen Group, 2007).
- On-Demand Access: The solution is the only one which offers search performances guarantee, ensuring the reliable access towards the archived data. Unlike the in housing solutions which can experience the serious research degradation and needs the ongoing upgrades of the hardware as the archive grows, service providers access to servers, on demand(Seitel Systems, 2010).
· Decreasing productivity losses which are associated with the unwanted emails
· Protecting users from the unwanted emails and inbounding email vulnerabilities
· Ability of determining and responding to the threats in timely manner
· Integration of emails security
· Email encryption
· Data loss prevention
· Email filtering
To address data security risks from point of view of how data will be used, who will access the data and where will the data be used.
The usage of the cloud base services and remote working patterns has enhanced the reliance on the email as a communication method(Fox, 2013). As email archive continues to function as a store of the sensitive data, it is mainly subjected to the litigation as well as being susceptible towards data breaches. Without having the comprehensive securities in the places, data retention systems can seem opposed to the privacy of the user. there are certainly risks around the archiving of the sensitive email data in the repository and then offering user access, however, there are also ways for mitigating the associated risks, comprising of the mechanisms for protecting against the insider threats. Advanced archiving solutions can resolve the modern compliance challenges and include comprehensive securities and restricted functionality access(Intradyn, 2016).
User sign-in needs to be customizable and offering additional measures like the multi factor authentication, as well as the restriction on the sign-in towards certain domains or devices. It is quite likely that not everybody should have the main access towards the archive. There needs to be flexible permissions engine which will enable to administer to set the user permission at the granular level, offering the users with just the tools and the data they should have access towards, and nothing much more(Dcsny, 2016). A separate authentication platform needs to give the options of the restricting access towards the network administrator: customization is the main key for every individual’s need of security. When it comes towards the performing searches across the data of the organization, this is mainly of course carefully constrained(Cybersec, 2017). There need to be mandatory approval stages before the outputs of the investigations as they will be displayed to the user, where the other high-level users may grant or deny the access that is based on the search parameters of users. Such kind of system goes some way to reducing the threats and also demonstrating the accountabilities. related to this need for the accountability, a comprehensive and detailed log will be needed to offer a high level of assurance. Often even if the investigation in the email data has been rejected, knowing that someone mainly attempts for is very important. being able to easily filter and search the real-time information on the actions of users, dates and the times of the search conducted and the email viewed, as well as the specific user involvement, means that the administrator can mainly evaluate and amend the policies and proves the adherence towards the legislation of the compliance(Water Ford Technologies, 2015).
There are many other risks associated with the email archiving: are the users correctly implementing the email encryption? are the attachments properly classified? at the specific users and the teams who have mainly failed to heed the best practices when sharing the information? The more advanced archiving solutions also enable the generations of the triggers and the reports which can automatically notify the administrators. because of the scale of email communication in the company, email archive can be a big and unwieldy, and organizing it can develop issues for compliance and governance(The Email Laundry, 2014). By being able to forensically investigating the email activities, including the encrypted contents, administrators can mainly gain the deep understanding of how the organization is employing the email as the method of the communication and as a store of the knowledge. Consequently, they can even spot out the individuals or the recurrent issues and can fix them in a very intelligent way(Pham, 2016). it also offers the other essential compliance takes of the verification of the persistence of the suitable security environment. An archiving solution can be the main difference in between the effective protection of the data and the huge financial penalties. Often, the reputational damage thereafter is considered to be more expensive. The best solution for archiving also goes further and not only helps the organization comply with the current regulations but developing additional values in the way which enables the intelligent data analytics of email, improvements towards employee productivity and the seamless integration in existing infrastructure of email security. Data retention regulations have the definite advantages for the end users and the customers, but the same time, the right archiving product can mainly turn the regulations obligation into positive changes for the organizations which are planning to implement it(Get Cloud Services, 2014).
1and1. (2016). Email archiving: what all companies should know. Retrieved from 1and1.com: https://www.1and1.com/digitalguide/e-mail/technical-matters/email-archiving-laws-and-practices-you-should-know/
Aberdeen Group. (2007). The Ins and Outs of Email Vulnerability. Aberdeen Group.
Authority3. (2013). Regulations, Laws & Compliance. Retrieved from authority3: https://www.authority3.com/resources/regulation-and-laws/
Bradbury, D. (2015). Archiving Email Under Us Law: What Is Required. Retrieved from solarwindsmsp: https://www.solarwindsmsp.com/blog/archiving-email-under-us-law-what-is-required
Chan, C.-C., Grzymala-Busse, J. W., & Ziarko, W. P. (2008). Rough Sets and Current Trends in Computing: 6th International Conference, RSCTC 2008 Akron, OH, USA, October 23 - 25, 2008 Proceedings. Springer.
Cybersec. (2017). Email Security. Retrieved from Cybersec.org: https://cybersec.org/cyber-security-services/vulnerability-assessment/email-security
Dcsny. (2016). Email Archiving for Compliance. Retrieved from Dcsny.com: https://www.dcsny.com/cloud-it-services/email-archiving/
Digital Preservation. (2013). Archiving Email. Retrieved from Digitalpreservation.gov: https://digitalpreservation.gov/personalarchiving/documents/archive_email.pdf
Fox, T. (2013). What Are the Essential Elements of a Corporate Compliance Program? Retrieved from lexisnexis: https://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-compliance/archive/2013/05/23/what-are-the-essential-elements-of-a-corporate-compliance-program.aspx
Fusemail. (2015). Email Archiving . Fusemail.
Get Cloud Services. (2014). Email Archiving Solution. Retrieved from Getcloudservices.com: https://www.getcloudservices.com/faqs/email-archiving-solutions/
GFI. (2012). Why organizations need to archive email. GFI.
GFI. (2015). Email archiving in the United States. GFI.
GRC. (2015). Compliant eMail Archiving. GRC.
Gwava. (2014). Regulatory Compliance forAustralian Government Agencies. Micro Focus.
Gwava. (2017). What Government Agencies Need to Know About Archiving Electronic Communication. Retrieved from Gwava.com: https://www.gwava.com/government-email-archiving
IMR. (2014). The Impact of Regulations on Email Archiving Requirements. IMR.
Intradyn. (2012). FRCP and Email Archiving: The Impact to Your Business. Retrieved from Intradyn.com: https://www.intradyn.com/frcp-and-email-archiving-the-impact-to-your-business/
Intradyn. (2016). Complete List of Email Retention Laws: Federal, State and Industry. Retrieved from Intradyn.com: https://www.intradyn.com/email-retention-laws/
Ipexpo Europe. (2015). Email and file archiving. Ipexpo Europe.
Jatheon. (2017). Employees as Threats to Email Compliance. Retrieved from jatheon: https://jatheon.com/blog/employees-as-threats-to-email-compliance/
Mail Store. (2013). Email Archiving Brings Solid Advantages. Mail Store.
Mangus, Q. (2016). Best Practices for Managing Email Archiving. Retrieved from blog.microfocus: https://blog.microfocus.com/best-practices-for-managing-email-archiving/
NAA. (2017). Managing email. Retrieved from National Archives of Australia: https://naa.gov.au/information-management/managing-information-and-records/types-information/email/index.aspx
Pham, T. (2016). The Simple Guide to Managing Your Email with the Asian Efficiency Email Workflow. Retrieved from Asianefficiency.com: https://www.asianefficiency.com/email-management/simple-guide-to-managing-your-email/
Posey, B. (2013). Best Practices for Exchange Archiving. Retrieved from redmondmag: https://redmondmag.com/articles/2013/04/17/exchange-archiving.aspx
Reid, R., Fraser-King, G., & David, W. (2007). Data Lifecycles: Managing Data for Strategic Advantage. John Wiley & Sons.
Seitel Systems. (2010). Email Archiving and Mailbox Size: Best Practice Recommendations Under Microsoft’s Exchange Server. Retrieved from Whitepapers: https://seitelsystems.com/blog/email-archiving-and-mailbox-size-best-practices/
Spurzem, B. (2008). The Storage Impact of Email Archiving. Retrieved from Email-museum.com: https://email-museum.com/2008/06/17/the-storage-impact-of-email-archiving/
Symantec. (2014). Top Five Strategies for Getting an Email Archiving. Retrieved from Symantec.com: https://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_top_five_strategies_for_getting_an_email_archiving_project_off_the_ground_13583249.pdf
Symantec. (2015). Email Retention and Archiving. Symantec.
The Email Laundry. (2014). Best Practice For Email Retention. Retrieved from Theemaillaundry.com: https://www.theemaillaundry.com/wp-content/uploads/2015/07/Email_Retention_UK.pdf
Tolson, B. (2016). The dangers of legacy email archives. Retrieved from betanews: https://betanews.com/2017/03/06/dangers-legacy-email/
UCSF. (2017). Email Best Practices. Retrieved from UCSF: https://it.ucsf.edu/services/email/email-best-practices
Vouga, S. (2014). 5 Best Practices for Email Archiving. Retrieved from waterfordtechnologies: https://www.waterfordtechnologies.com/5-best-practices-email-archiving-2/
Water Ford Technologies. (2015). Email Archiving! Without it Your Company is at Risk. Retrieved from Waterfordtechnologies.com: https://www.waterfordtechnologies.com/email-archiving-without-company-risk/