Email Archiving and Encryption Can Be Key Compliance Tools, Experts Stress
FDA-regulated firms must get a handle on their email communications to bolster their compliance efforts, experts tell PIR.
“Email is great, but it can be a sieve for intellectual property (IP) and other” edata to leave your company, said Andres Kohn, vice president at Proofpoint. But controlling email with encryption presents some knotty challenges, he acknowledged. Among those: huge inbound and outbound message storing requirements, ease of use and finding a tool that does not slow down message delivery.
Failing to get a handle on email communications is not an option for most companies. In addition to state and federal requirements that companies protect private customer data, it simply makes good business sense, Kohn said. It also represents an important component of a company’s IP, he added at a recent company webinar.
But even a good encryption program should only be viewed as part of a broader messaging security program, Kohn stressed. Defining and managing your internal policies is a critical, and ongoing, challenge.
That’s one of the reasons it is important to have an email encryption tool that has strong auditing and reporting capabilities, Kohn said. Having that capability helps companies see how their systems are actually being used each day and to spot current or potential problem areas. For example, a good reporting system might show that a certain policy is already out-of-date, or that a root cause for a problem requires an immediate computer patch fix.
The sheer volume of incoming and outgoing emails is daunting for many firms. Many companies handle the issue with email archiving. In a dispersed email archiving solution, the company’s email servers are located in remote spots across a given region, explains a new white paper by Maurene Caplan Grey, founder of Grey Consulting.
“In most cases the archive servers should be placed with the email servers,” Grey said. For example, a company with email servers in New York, Florida, California and the UK and France could potentially place local archiving systems in those same locations, Grey said. “This does not mean, however, the archive in each location is separate,” Grey added.
Grey advised tying archiving servers together to enable global searches and retrievals without having to search each different archiving system. “A dispersed archive is more than adequate to ensure a company has an enterprise-wide email archiving solution,” Grey added.
A centralized email archive usually goes “hand-in-hand” with a centralized email infrastructure in which all the email servers are in a single location, Grey said. “There is really no incorrect way, and a company looking for an email archiving solution should make sure the vendor it is working with understands the kind of system the customer wants,” Grey added.
When an email arrives at the email server in a standard setup, it will be copied to the archiving server after a predetermined period, Grey explained. After the email and any attachments are copied to the archive server, the original email message and any attachments are then deleted from the server and replaced with a “pointer” or stub pointing to its new location in the archive.
Under this standard setup, the pointer will look much like the original email message listing in the email sender, so email recipients usually will not notice a difference, Grey said. “End-users can still click on that pointer and view the email and attachments,” Grey added.
As the email and attachments arrive at the archive server, the email, and optionally the attachments, are indexed. “This helps in search and retrieval in the future,” Grey noted. — Michael Causey