Patrick Childers wrote:
Hi Pete,
I think your gut is right. I'm pretty sure that I have 2 clients that would
be quite interested in "SOXsniffer". <g>
Not to debate the applicability of the technology, but you shouldn't proceed under the assumption that government regulators are out there giving IT staff lists of words to be used in "full-text search" of E-mail archives. That is not the law, and it is not how subpoenas are issued.
What is at question here is document retention, or more specifically in this case, E-mail retention. There is nothing specific in Sarbanes-Oxley that indicates anything other than destruction of records, thereby implying that records such as E-mail are required to maintained for a period of 5 years. There is absolutely no mention of required technologies, but it is clearly implied that you can't lose access to such documents due to a failure to properly apply a technological solution that survives that length of time (i.e. archival means need to be accessible going 5 years back at any time).
Given these requirements of such companies, it is now much more common to subpoena E-mail records for matters outside of that covered by the SEC, which is what Sarbanes-Oxley is all about. Subpoenas must be specific enough to comply with rather than having the implementation of an archive being capable of allowing enemy lawyers to mine your data for hits. If you use such technology however, you actually open up yourself for a higher likelihood and therefore liability of being required to do so based on preexisting capability.
As far as I can tell, the only retrieval requirement is being able to identify messages by sender, recipients and date. If you wish to read the requirements as established under the law, it is Sarbanes-Oxley section 802. It may also be wise to establish a separate and shorter retention schedule for employees that are not involved in matters governed by the SEC. When I worked for a Fortune 500 company, they had a 1 year E-mail deletion policy purposefully to limit liability related to product liability lawsuits and the cost of compliance. This was pre-SOX, and there was no policy that retained deleted E-mail outside of backup tapes which were carefully controlled as well. There was nothing wrong with such policies so long as documents were not destroyed in response to an investigation or lawsuit (which is why Sarbanes-Oxley specifies retention of documents for audits which require 5 years of records).
How one implements this is up to the company as long as they meet the basic requirements of the law. I certainly don't expect anyone to trust me on any of this, but I wouldn't go about designing a repository of any sort without consulting a lawyer with regulatory experience, and the same goes for developing products for use by such companies.
There are applications that archive and mine data from E-mail, but IMO, these are really just big-brother types of apps, and I've never been big on invading people's privacy. There are other services that some companies use under the general guise of "policy enforcement" which is just a fancy way of saying content screening. I think that Sniffer's engine could be set up to do at least part of this work (outside of attachments), but there are large companies out there that already offer such services and this is generally limited to only large customers. I consider this to be an ineffective solution since it can be so easily bypassed with a flash drive on a key chain, or missed by a set of keywords or phrases.
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
