Recently a number of federal regulations have been passed that have an immediate and permanent effect upon storage, backup strategies, and procedures both for ordinary documents and for e-mail. Although these were primarily directed towards financial documents, it is easy to ascertain that at the very least any organization should get involved in a “best practices” type of solution that includes most documents generated within any sized enterprise.

Which Documents are affected?

SOX provides general provisions calling for support of audit trails and retrieval of documents (including all types of messages) that may be required in an investigation. To insure that his/her company is always in compliance IT departments and personnel have to apply a certain set of processes and safeguards that can be applied to all documents. This insures two things. First, that no one has to make a decision as to whether or not a group of documents needs to be included and maintained, only to discover later that they were incorrect and possibly criminally liable. Second, by covering everything now, the IT professional insures that should there be an increase of the scope of these regulations, they do not have to make any additional changes in their daily processes.

The specific financial documents that must be included are:

Individual accounts or groups of related accounts
Footnote disclosures included in financial statements
All line items and notes
All footnote disclosures included in published financial styatements

The need to maintain audit trails comes from these requirements into transaction and task related documents and communications. The most important items are the financial documents themselves, but all the associated documents have to be available as well.

In order to get into compliance IT departments have to assess their current backup and recovery strategies, record archiving schemes, and long-term data storage methods. All records, including e-mail and instant messaging, must be indexed and easily searchable. This methodology must also include a way to discover if anyone has attempted to tamper with the stored information. This requires detailed record keeping.

So, what are the rules?

Record integrity must be protected for whole specified storage period. They must be stored in a way that cannot be altered. Access to records must be traceable.
Records must be available within a reasonable timeframe.
Physical security of storage media must also be maintained. There should be multiple copies of the required information stored a different locations.
Access to storage locations must be monitored and recorded.
Reliability of the storage medium of choice is necessarily important.
All workstations should be included in the backup strategy, including all personal data.
Automated storage of data is required on a regular basis with sufficient granularity to support the proper disclosures.
Reasonable access to archived data must be maintained at all times.

For the IT Manager the most important things are the operational processes themselves. This importance is derived from an accurate reading of the legislation which states that companies must file an internal control statement with its annual report that includes “an assessment, as of the end of the most recent fiscal year……..of the effectiveness of the internal control structures and procedures of the issuer for financial reporting.” This means that not only must the data be retained, but that the company must be able to demonstrate that the key financial information is being managed and protected in a way suitable to insure compliance.

Companies with significant storage management issues must be able to identify and establish that they have the reporting procedures necessary to demonstrate that document policies and procedures are in place. Specifically in the areas of:

Data protection – Data security and management of backup/restore operations.
Data availability – Policies related to access and retrieval of data from archival sources.
Data Recovery – Including disaster recovery schemes.

Generally, these organizations have to ensure that the policies exist and are properly documented, that the processes are in fact being followed, that an audit trail exists as evidence of compliance, and that a validation process is in place to test the effectiveness of the controls, the processes, and the reporting.

SOX basically requires a more sophisticated view of storage than is commonly held in most companies. It requires a differentiation between critical and routine data while also requiring access to data that has been placed into long-term storage.

What about E-mail?

The rules concerning e-mail storage are basically the same but differ primarily because of the wide range of relevance any one e-mail communication may exhibit. E-mail has become the preferred communication medium for agreements, contracts, approvals, and work discussions. Effective e-mail storage management requires a certain level of filtering due to the enormous amount of spam and other unwanted or irrelevant e-mail a company may be bombarded by on a daily basis. At the same time there has to be an audit trail sufficient to support any litigation where the company may find itself involved.

Although the requirements for e-mail are basically the same as for any other company document, the nature and content of most messaging creates a number of problems. First, most messages are extremely ubiquitous and tend to be stored locally, at the workstation level. Second, the sheer volume of these messages on a daily basis before filtering is enormous. Third, messages can contain documents and other materials which cause them to have direct relevance to any investigation of company transactions.

Even though e-mail archiving systems have been available for quite a long time, SOX and related regulations add importance to putting an adequate solution in place that provides both the capability to centrally store all relevant messages as well as permitting the search and retrieval of messages in storage. More and new products or systems are becoming commercially available that are specifically designed to meet these requirements.