How to Easily Secure Your E-mail System and Comply with HIPAA, Sarbanes-Oxley, and GLBA Regulations

While recent government regulations vary in scope and purpose, need to protect and ensure integrity of information is universal. Much of information germane to business today is assimilated and communicated over messaging platforms such as e-mail. As a result, need for a comprehensive approach to secure delivery of e-mail affects almost all organizations, regardless of industry or size. As with many management challenges, unknown is most significant cause for concern. In case of e-mail and messaging security, most ominous threat is often lack of ability to measure information flowing in and out of corporate e-mail network.

E-mail has traditionally been sent “in-the-clear,” meaning that e-mail headers and contents have been readily accessible to anyone with ability to monitor network traffic. Traditionally, encryption technologies have been sufficiently difficult to implement that many businesses chose to sacrifice security in name of user-friendliness given an application as mission-critical as e-mail. For example, some encryption and authentication technologies require ubiquitous adoption by each entity attempting to communicate, and few have ever agreed on which technologies are best or most efficient. Many businesses, committees and users have been attempting to standardize such use for well over a decade.

Over last few years, however, regulations have been enacted that require business and technology communities to generate and implement secure e-mail solutions. Easy-to-use encryption and authentication are now readily available. The new challenge for enterprise is to determine where and how to implement these new solutions to ensure compliance with new regulations. Understanding how each regulation affects e-mail security and delivery is important to understanding pressures all IT managers will be under in months and years to come.

E-mail Security Issues for Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 took effect in June of 2004 and requires CEOs, CFOs, independent auditors and audit committees to certify accuracy, confidentiality, privacy and integrity of financial statements -- and effectiveness of internal controls and procedures for financial reporting and disclosures. The most relevant sections of Sarbanes-Oxley to e-mail security are sections 404 and 802.

• Section 404 deals with internal controls, and requires organizations to implement controls over release of information to individuals or organizations outside company’s network.
• Section 802 addresses records management, and how long and in what manner documents (including e-mail) should be retained.

Sarbanes-Oxley does not detail specific steps organizations should take to comply with these regulations. Rather, it requires that companies implement programs that ensure secure flow of information, and then to be able to document success and deficiencies of those programs. There exist some programs that are commonly used as a basis for implementation.

Corporations and business partners of companies affected by Sarbanes-Oxley, are required to ensure that sensitive information remains secure. Similar to HIPAA solutions, “Insider information” should not be accessible outside of perimeter of a company’s network. Encryption policies should be enforced whether a busy executive remembers to encrypt a message or not. Rogue employees should not be capable of transmitting sensitive financial information outside network. Detailed reports should be available to auditors showing how system has successfully protected network and archived relevant communications. All of this can be handled swiftly with an e-mail governance policy and a central implementation mechanism. Without a mechanism in place, these requirements create a tangled web of complicated transactions and increased risk.

Unlike HIPAA, however, Sarbanes-Oxley often creates a need for organizations to prevent end-user encryption of information because encrypted information cannot be filtered for inappropriate content or trade secrets as it moves through e-mail servers and onto Internet. E-mails should be sent to server as clear-text, and only once content has been cleared for release should it be encrypted according to organization’s policies.

The need to enforce centralized content policies, as well as need to provide detailed reports to audit committees, requires server-level control and administration. The servers should be flexible in terms of encryption technology in order to maximize utility of e-mail, while at same time network should be defended from external attacks

E-mail Security Issues for HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 21, 2003. The act is designed to protect confidentiality, integrity, and availability of Protected Health Information (PHI) for individuals. PHI is defined as information that includes any individually identifiable health information. Healthcare organizations that must comply with HIPAA regulations are known as Covered Entities (CEs). CE’s include hospitals, insurance providers, employer health plans, physicians, business partners, and contractors working with healthcare providers.

The primary rule within HIPAA that affects e-mail is Security Rule. Exposed PHI within e-mail is considered a risk that will surface during a HIPAA risk assessment. Covered Entities are required to perform a HIPAA risk assessment and then to adopt appropriate safeguards depending upon outcome of assessments they perform.

Healthcare organizations have reacted to new rule in a variety of ways, and with varying degrees of effectiveness. The efficiency of e-mail offers an attractive means to transmit healthcare information from one organization to another; however need to secure each transmission of PHI has created complications as secure e-mail solutions are new and not fully implemented at many sites that transmit and store PHI.

The Sarbanes-Oxley Act of 2002 and associated rules adopted by Securities and Exchange Commission (SEC) require certain businesses to report on effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandating confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

The role of email in Sarbanes-Oxley compliance cannot be overstated. At a high level, email is primary internal and external communication tool for corporations. However, a more granular inspection of email’s role, especially as pertaining to corporate information security, reveals that it can make or break a company’s efforts to comply with Sarbanes-Oxley. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance.

Complying with Sarbanes-Oxley

The changes required to ensure Sarbanes-Oxley compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to call Act “the most sweeping legislation to affect publicly traded companies since reforms during Great Depression.” Since bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share of responsibility for Sarbanes-Oxley compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:

• Network security
• Access controls
• Authentication
• Encryption
• Logging
• Monitoring and alerting
• Pre-planning coordinated incident response
• Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

• They have reviewed quarterly & annual financial reports;
• The information is complete and accurate;
• Effective disclosure controls and procedures are in place and maintained to ensure that material information about company is made known to them.

Sarbanes-Oxley Section 404

This section regulates enforcement of internal controls. Management must show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition, company must produce documented evidence of an annual assessment of internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step in right direction with regards to overall email security.

Effective Email Controls

Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one of most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident at company or on a remote site or machine. Given wide functionality of email, as well as broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:

• A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
• Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
• Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
• Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties