Features - Enterprise Data Insights:

MANAGING CORPORATE EMAIL COMPLIANCE AN IMPORTANT ISSUE
By Lawrence Didsbury, MCSE, MASE

The corporate climate has been heating up over the last couple of years in the area of corporate communications compliance. It is now time for corporations to take notice of the compliance regulations affecting their industry and to take the necessary steps to ensure their compliance. Companies already involved in the evaluation of the various software products designed to provide this functionality will need to ensure that the product they choose will be adequate to serve their information retention and compliance needs.

While regulations like the Securities and Exchange Commission (SEC) Rule 17-4a have been in effect since 1997, the SEC and other regulatory bodies did not begin to enforce these regulations until December 3, 2002. By now, informed companies have heard of the case where the New York Stock Exchange (NYSE), SEC and NASD reported that they fined a number of corporations under their regulatory direction for failure to properly abide by certain retention compliance regulations. Each company was fined and agreed to pay, with the overall fines totaling over $8 million dollars. The NASD specifically cited the following rules in the December 2002 article:

• Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 under the Exchange Act, NYSE Rule 440 and NASD Rule 3110
• NYSE Rule 342 and NASD Rule 3010

These compliance rules task the corporations with retaining electronic communications for six years, and preserving in an accessible location all of the communications related to the business of the firm for two years. Additionally, they require the corporations to set up, maintain and enforce a supervisory system that will allow them to ensure compliance with the set regulations. Typically, e-mail archive software developers work with document management software companies to provide an integrated solution to deliver the necessary compliance tools. For instance, in order to adhere to the above compliance regulations as well as the latest U.S. DoD 5015.2 Standard, companies would benefit from selecting the integrated e-mail solution from eManage and EDUCOM.

The two companies integrate the latest versions of the eManage and Exchange Archive Solution (EAS) products in order to provide the only solution that provides for both Exchange archiving and DoD 5015.2 compliant document management available today. Note that KVS and MDY also recently announced a partnership to deliver similar functionality. However, they state that the solution should be ready sometime around Fall 2003. Regulatory inspectors would use such a supervisory system to verify retention compliance. Corporations need to understand which regulations or regulatory agencies they are subject to and which products will provide the necessary retention and compliance tools to satisfy their legal and information management requirements.

There are essentially four areas involved in the pursuit of retention compliance. They are:

• Pre-Review -- this pertains primarily to the monitoring of all inbound and outbound communications over e-mail. Typically, this involves the use of a gateway product that can scan all e-mail traffic and be set to trap or flag communications containing particular keywords or phrases.
• Review -- this involves the ongoing review of message content that exists in either the primary database or the archives created by the application or both. Some e-mail archiving software products handle the review process using their archive search index, while others have a more complete content analysis engine.
• Storage Assurance -- this is the process of assuring the proper retention of e-mail records using a "tamper-proof" method that would be acceptable to compliance regulators. Storage assurance also includes the ability of the application to serialize the media and time stamp individual records in such a manner as to assist with the audit trail.
• Retention (Lifecycle) Management -- the compliance features that are important in this area are the ability of the application to manage and track an e-mail record from its inception to the end of its useful (or required) life. All movements or changes to the record should be recorded as part of the indexing or logging capability. Additionally, the ability to purge (completely expunge) records for which the retention period has expired or for which there is no retention requirement.

Software products designed to solve these corporate e-mail retention challenges have begun to get more attention from C-level executives, not only from an information management standpoint, but also for their value in providing for the retention compliance needs of the enterprise. A few of the leading applications for e-mail retention include EDUCOM's Exchange Archive Solution (EAS), KVS Enterprise Vault, IXOS eCONNserver, and Legato's EmailXtender (developed by OTG and recently acquired by EMC with their Legato purchase). Corporations interested in implementing a strategy for the purpose of satisfying regulatory compliance should ensure that the product they select has the necessary functionality to fulfill the compliance requirements as well as the information retention and retrieval requirements for their organization. Of the four products mentioned above, three have unique modules or products specifically provided as retention compliance tools:

• Storage and Retention Manager (EAS-STORM) (EDUCOM, TS)
• Enterprise Vault Compliance (KVS)
• EmailXaminer for Email Xtender (Legato Systems)

Of the top e-mail management products reviewed, EAS-STORM appears to provide the more robust tools for the continuing lifecycle management of e-mail data. Once data has been initially archived from the Exchange Servers, EAS-STORM can further "archive the archives" in a global storage environment, managing the data even to offline media towards the end of its useful life. Closer inspection such as this will assist companies in evaluating these products to determine if they provide the level of compliance tools required. For companies that use Microsoft Exchange Server, each of these products has the necessary support for the current version of Exchange Server, and each appears to provide the basic necessary compliance functionality. Some of the functionality that companies should look for in a compliance module or product include:

• Full historical logging of all record activity that will serve as an audit trail
• Storage assurance
• Storage formats supported (e.g. CIFS, NTFS, CDR, Tape, WORM, optical, EMC Centera)
• Full content-based rule applications
• The ability to search all e-mail records present in existing archives
• Complete purge capability based on granular criteria (including content, retention period etc.)
• Scalable architecture to serve globally distributed e-mail server environments
• Automated lifecycle management of retained communication records
• Storage management/optimization for storage efficiencies (e.g. record compression, true single-instance storage, optimization based on storage type
• Preview capabilities to prevent time/resource consuming tasks
• Copy or migration of e-mail records located during audit procedures
• Ability to supply desired information from archive directly to CDR or other removable media for use by compliance investigators
• Automated task operations for staging e-mail throughout a lifecycle

It should be noted by companies reviewing the leading archiving solutions that each vendor mentioned produces a unique product, each of which should be evaluated based on the company's information retention and compliance requirements. Some full product packages provide excellent functionality that may exceed both the price and needs of the business. Other products, while much cheaper, will not provide the necessary functionality, and could end up costing the firm more through fines levied for non-compliance and loss of important intellectual property.

Lawrence Didsbury, MCSE, MASE

Lawrence is an independent writer focused on various data storage and computing technologies. Lawrence was most recently a Marketing Manager for Auspex Systems after serving at Compaq Computer Corporation as an engineering team lead, and a systems/software engineer. Before that Lawrence was an independent network/Internet consultant and served with systems integrators as a network services manager and systems engineer. Lawrence is a Microsoft Certified Systems Engineer (MCSE) with a Microsoft Exchange specialization, and is a Compaq Master Accredited Systems Engineer (MASE) with a concentration in Enterprise Systems Management. Lawrence has a BS degree from the University of Houston and is currently pursuing an E-Commerce MBA from Jones International University.