Complying with government regulations such as Sarbanes-Oxley Act (SOX), HIPAA and several others is critical when creating an email-archiving policy. Use this checklist when planning your email-archiving strategy.
- Create and refine email-archive policies
No organization can meet compliance and regulatory obligations unless they have developed and implemented relevant policies. At a minimum, have an email-retention policy that defines the type of mail and the duration of storage requirements. In addition, have an email-archive policy that defines the storage locations, allocated space, search and recovery and backup processes needed to protect stored messages. Remember: Compliance is typically not an IT function, so it's important to involve corporate management -- legal council, human resources, the CTO -- in the policy-development process.
- Document and prepare email servers
Proper documentation and preparation of email servers will demonstrate "due diligence" for compliance auditors and help IT staff recover from problems. For example, document all email server configurations, remove all outdated alias databases, complete all alias database rebuilds and move all stored logs to a separate (Syslog) host prior to archiving.
- Implement security for email archiving
Email compliance often includes the use of security processes and technologies that restrict access and guard email against loss or theft. For example, archive access should require the use of strong authentication, such as public/private key pairs or multifactor authentication. Archive access should also be restricted to only a limited number of IT and legal/management personnel.
Regardless of personnel restrictions, implement comprehensive auditing to track archival access and review audit logs to ensure adherence to access policies. Finally, consider technologies like encryption or hashing to protect archived email. It must be unreadable to anyone other than authorized users; hashing can help ensure data integrity by protecting against tampering. These protections can be particularly important when working with a third-party email-archive vendor.
- Plan for technological interoperability
Archive requirements may persist longer than the working life of archiving tools and storage systems. Remember that inaccessible archives are not compliant. Anytime a change occurs in the archive infrastructure, make certain that existing archives remain accessible with the new tools and technologies, or implement a refresh plan to migrate archives to the updated infrastructure.
- Consider third-party compliance implications
Some organizations, particularly smaller businesses, may outsource email and archiving tasks to a third-party provider. When trusting email messages to an external provider, use a comprehensive service-level agreement (SLA) to address your specific needs for archive handling and management. The SLA should also cover topics like availability (uptime), data access, data integrity, security and logging/auditing. Understand what happens when the third-party contract terminates and have a plan in place to transfer the data to another provider or bring it in-house.
This was first published in March 2010