E-mail Security Governance: E-mail Encryption and Authentication as a Business Enabler

Written by CipherTrust

How to Easily Secure Your E-mail System and Comply with HIPAA, Sarbanes-Oxley, and GLBA Regulations

While recent government regulations vary in scope and purpose,repparttar need to protect and ensurerepparttar 109517 integrity of information is universal. Much ofrepparttar 109518 information germane to business today is assimilated and communicated over messaging platforms such as e-mail. As a result,repparttar 109519 need for a comprehensive approach torepparttar 109520 secure delivery of e-mail affects almost all organizations, regardless of industry or size. As with many management challenges,repparttar 109521 unknown isrepparttar 109522 most significant cause for concern. Inrepparttar 109523 case of e-mail and messaging security,repparttar 109524 most ominous threat is oftenrepparttar 109525 lack of ability to measure information flowing in and out ofrepparttar 109526 corporate e-mail network.

E-mail has traditionally been sent “in-the-clear,” meaning that e-mail headers and contents have been readily accessible to anyone withrepparttar 109527 ability to monitor network traffic. Traditionally, encryption technologies have been sufficiently difficult to implement that many businesses chose to sacrifice security inrepparttar 109528 name of user-friendliness given an application as mission-critical as e-mail. For example, some encryption and authentication technologies require ubiquitous adoption by each entity attempting to communicate, and few have ever agreed on which technologies are best or most efficient. Many businesses, committees and users have been attempting to standardize such use for well over a decade.

Overrepparttar 109529 last few years, however, regulations have been enacted that requirerepparttar 109530 business and technology communities to generate and implement secure e-mail solutions. Easy-to-use encryption and authentication are now readily available. The new challenge forrepparttar 109531 enterprise is to determine where and how to implement these new solutions to ensure compliance with new regulations. Understanding how each regulation affects e-mail security and delivery is important to understandingrepparttar 109532 pressures all IT managers will be under inrepparttar 109533 months and years to come.

E-mail Security Issues for Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 took effect in June of 2004 and requires CEOs, CFOs, independent auditors and audit committees to certifyrepparttar 109534 accuracy, confidentiality, privacy and integrity of financial statements -- andrepparttar 109535 effectiveness of internal controls and procedures for financial reporting and disclosures. The most relevant sections of Sarbanes-Oxley to e-mail security are sections 404 and 802.

  • Section 404 deals with internal controls, and requires organizations to implement controls overrepparttar 109536 release of information to individuals or organizations outsiderepparttar 109537 company’s network.
  • Section 802 addresses records management, and how long and in what manner documents (including e-mail) should be retained.

Sarbanes-Oxley does not detail specific steps organizations should take to comply with these regulations. Rather, it requires that companies implement programs that ensurerepparttar 109538 secure flow of information, and then to be able to documentrepparttar 109539 success and deficiencies of those programs. There exist some programs that are commonly used as a basis for implementation.

Corporations and business partners of companies affected by Sarbanes-Oxley, are required to ensure that sensitive information remains secure. Similar to HIPAA solutions, “Insider information” should not be accessible outside ofrepparttar 109540 perimeter of a company’s network. Encryption policies should be enforced whether a busy executive remembers to encrypt a message or not. Rogue employees should not be capable of transmitting sensitive financial information outsiderepparttar 109541 network. Detailed reports should be available to auditors showing howrepparttar 109542 system has successfully protectedrepparttar 109543 network and archived relevant communications. All of this can be handled swiftly with an e-mail governance policy and a central implementation mechanism. Without a mechanism in place, these requirements create a tangled web of complicated transactions and increased risk.

Unlike HIPAA, however, Sarbanes-Oxley often creates a need for organizations to prevent end-user encryption of information because encrypted information cannot be filtered for inappropriate content or trade secrets as it moves throughrepparttar 109544 e-mail servers and ontorepparttar 109545 Internet. E-mails should be sent torepparttar 109546 server as clear-text, and only oncerepparttar 109547 content has been cleared for release should it be encrypted according torepparttar 109548 organization’s policies.

The need to enforce centralized content policies, as well asrepparttar 109549 need to provide detailed reports to audit committees, requires server-level control and administration. The servers should be flexible in terms of encryption technology in order to maximizerepparttar 109550 utility of e-mail, while atrepparttar 109551 same timerepparttar 109552 network should be defended from external attacks

E-mail Security Issues for HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 21, 2003. The act is designed to protectrepparttar 109553 confidentiality, integrity, and availability of Protected Health Information (PHI) for individuals. PHI is defined as information that includes any individually identifiable health information. Healthcare organizations that must comply with HIPAA regulations are known as Covered Entities (CEs). CE’s include hospitals, insurance providers, employer health plans, physicians, business partners, and contractors working with healthcare providers.

The primary rule within HIPAA that affects e-mail isrepparttar 109554 Security Rule. Exposed PHI within e-mail is considered a risk that will surface during a HIPAA risk assessment. Covered Entities are required to perform a HIPAA risk assessment and then to adopt appropriate safeguards depending uponrepparttar 109555 outcome ofrepparttar 109556 assessments they perform.

Healthcare organizations have reacted torepparttar 109557 new rule in a variety of ways, and with varying degrees of effectiveness. The efficiency of e-mail offers an attractive means to transmit healthcare information from one organization to another; howeverrepparttar 109558 need to secure each transmission of PHI has created complications as secure e-mail solutions are new and not fully implemented at many sites that transmit and store PHI.

Many encryption technologies requirerepparttar 109559 user to become familiar withrepparttar 109560 use of plug-ins and other specialized “client-side” encryption software. Encryption keys must be securely traded between partners, patients, providers, and other network members. More and more employees are involved in transmitting PHI overrepparttar 109561 internet now than ever before. The increase inrepparttar 109562 number of employees transmitting PHI has caused administrative costs to increase asrepparttar 109563 need to train employees in proper use of encryption technologies also increases.

How Sarbanes-Oxley Affects Corporate Email Systems

Written by CipherTrust

The Sarbanes-Oxley Act of 2002 and associated rules adopted byrepparttar Securities and Exchange Commission (SEC) require certain businesses to report onrepparttar 109516 effectiveness of their internal controls over financial reporting. Effective internal controls ensure information integrity by mandatingrepparttar 109517 confidentiality, privacy, availability, controlled access, monitoring and reporting of corporate or customer financial information. Companies that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers in U.S. markets and privately held companies with public debt. U.S. companies with market cap greater than $75M and on an accelerated (2004) filing deadline are required to comply for fiscal years ending on or after Nov. 15, 2004. All others are required to comply for fiscal years ending on or after April 15, 2005.

The role of email in Sarbanes-Oxley compliance cannot be overstated. At a high level, email isrepparttar 109518 primary internal and external communication tool for corporations. However, a more granular inspection of email’s role, especially as pertaining to corporate information security, reveals that it can make or break a company’s efforts to comply with Sarbanes-Oxley. Email systems are critical to ensuring effective internal control over financial reporting, encryption of external messages and active policy enforcement, all essential elements of compliance.

Complying with Sarbanes-Oxley

The changes required to ensure Sarbanes-Oxley compliance reach across nearly all areas of a corporation. In fact, Gartner Research went so far as to callrepparttar 109519 Act “the most sweeping legislation to affect publicly traded companies sincerepparttar 109520 reforms duringrepparttar 109521 Great Depression.” Sincerepparttar 109522 bulk of information in most companies is created, stored, transmitted and maintained electronically, one could logically conclude that IT shoulders a lion’s share ofrepparttar 109523 responsibility for Sarbanes-Oxley compliance. Enterprise IT departments are responsible for ensuring that sound practices, including corporate-wide information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern:

  • Network security
  • Access controls
  • Authentication
  • Encryption
  • Logging
  • Monitoring and alerting
  • Pre-planning coordinated incident response
  • Forensics

These components enable information integrity and data retention, while enabling IT audits and business continuity.

In order to comply with Sarbanes-Oxley, companies must be able to show conclusively that:

  • They have reviewed quarterly & annual financial reports;
  • The information is complete and accurate;
  • Effective disclosure controls and procedures are in place and maintained to ensure that material information aboutrepparttar 109524 company is made known to them.

Sarbanes-Oxley Section 404

This section regulates enforcement of internal controls. Management must show that it has established an effective internal control structure and procedures for accurate and complete financial reporting. In addition,repparttar 109525 company must produce documented evidence of an annual assessment ofrepparttar 109526 internal control structure’s effectiveness, validated by a registered public accounting firm. By instituting effective email controls, organizations are not only ensuring compliance with Sarbanes-Oxley Section 404; they are also taking a giant step inrepparttar 109527 right direction with regards to overall email security.

Effective Email Controls

Email has evolved into a business-critical application unlike any other. Unfortunately, it is also one ofrepparttar 109528 most exposed areas of a technology infrastructure. Enterprises must install a solution that actively enforces policy, stops offending mail both inbound and outbound and halts threats before internal controls are compromised, as opposed to passively noting violations as they occur.

An effective email security solution must address all aspects of controlling access to electronically stored company financial information. This includes access during transport as well as access to static information resident atrepparttar 109529 company or on a remote site or machine. Givenrepparttar 109530 wide functionality of email, as well asrepparttar 109531 broad spectrum of threats that face email systems, ensuring appropriate information access control for all of these points requires:

  • A capable policy enforcement mechanism to set rules in accordance with each company’s systems of internal controls;
  • Encryption capabilities to ensure privacy and confidentiality through secure and authenticated transport and delivery of email messages;
  • Secure remote access to enable remote access for authorized users while preventing access from unauthorized users;
  • Anti-spam and anti-phishing technology to prevent malicious code from entering a machine and to prevent private information from being provided to unauthorized parties

Cont'd on page 2 ==>
ImproveHomeLife.com © 2005
Terms of Use