In recent years, Domino and other messaging systems administrators have turned to e-mail archiving products to...
deal with the massive amount of e-mail they must process. That effort has been further complicated -- for public companies at least -- by the onslaught of Sarbanes-Oxley Act (SOX) standards for corporate accountability. Increasingly, e-mail administrators are forced to track documents, e-mail, even instant messages, with an eye toward the day their data may be requested by investigators.
E-mail archiving products are key, but are just one piece of the puzzle. Creating corporate policies that determine which e-mail to archive is also critical, Denise Reier said. She is vice president of messaging product marketing for the Legato Software division of EMC Corp., Hopkinton, Mass. "E-mail has been the smoking gun in many [corporate criminal investigations]," noted Reier.
But the value of e-mail can vary greatly. E-mail is used to negotiate contracts and discuss key corporate matters, but it's also used to set up lunch dates and to pass jokes. Some companies retain every e-mail for the maximum period of time required by the law, and some are fine-tuning their retention policies, organizing their e-mail into human resource, legal and other manageable areas. In all cases, e-mail archives must be able to withstand scrutiny in a court of law that it is accurate and complete.
Exacerbating the burdens caused by SOX is the fact that the Securities and Exchange Commission (SEC) now gives some organizations less than a week to respond to general inquiries. And since the courts know that technology is not a limitation, companies cannot use poor archiving practices as an excuse to gain an extension. Hence, the issue facing companies is no longer merely archiving e-mail, but having access to it as well. "If a company is slapped with a subpoena, and its email records are in question, most of the costs it incurs will be on the discovery side," Reier said. "If a company is asked to produce all the e-mail records for 12 specific users, and all its e-mail [is] randomly put on backup tape, it may take millions of dollars to satisfy the court's request."
Legato's primary solution for this area, EmailXtender, archives and retrieves e-mail and attachments for Lotus and Microsoft Exchange messaging environments. But Reier says most of her company's focus is on the Domino space, because the largest messaging environments are Domino-oriented and because there is a higher degree of Domino installations in regulated industries. Legato offers a software-only version as well as an out-of-the box hardware/software package for companies just getting started.
Another option for archiving e-mail is a Web-based repository. For instance, last month IBM began offering a service that provides a Web-based repository for document and records management. Called IBM Flexible Hosting Solutions, Workplace for Business Controls and Reporting (WBCR) Service, the solution lets clients access IBM's WBCR application software quickly via the Internet. The service provides businesses with an alternative to building and running their technology infrastructure in-house.
IBM has launched the WBCR Service Workplace to help capture the data to generate needed Sarbox reports, said IBM's Sabine Schilg, who directs, among other things, Workplace business transformation and software-as-a-service efforts. In addition to monitoring functions, the software helps you analyze the key factors in your compliance efforts. "It helps you do risk assessment," said Schilg, who noted that IBM Lotus offers e-mail archiving products as well.
Web-based access, Legato's Reier said, is viable for smaller organizations that want to limit their investment in IT staff as long as the outsourcing provider can guarantee that the client is in compliance. "Just because you're outsourcing the archiving doesn't mean you're outsourcing the liability," she said. "You need to ask your outsourcing vendor how they would accommodate a legal discovery request and what their turnaround time would be."
There are other demands involved in complying with Sarbanes-Oxley. Any SOX compliance initiative will also focus on internal control of processes that affect applications, and one of the primary processes that can affect an application's functionality and integrity is a design change. As a result, a SOX audit would likely scrutinize development change management processes and documentation.
According to software provider Teamstudio Inc., mainstream change management systems, though fine for helping most development shops meet SOX compliance requirements, might have a problem in a Notes development environment because they work at the file level. Most design changes that need to be documented are performed at a lower level of granularity: the design element level.
The Beverly, Mass., software vendor offers a product, called Teamstudio CIAO, that allows for check-in and check-out functionality at the design element level. It provides detailed design element audit documentation, which can form the foundation for a comprehensive internal control system for Notes development environments.
When it comes to Notes, SOX creates an interesting paradox, said Mike Wetherbee, professional services manager for Teamstudio. "Auditors looking for compliance-related control on design changes and version control would normally seek out the audit trail in the production environment," he said. "But in Notes, version control is done in the development environment. Developers are the ones responsible for check in/out functionality. So a product that supports a Notes environment for checking in and checking out, like CIAO, would help administrators in their SOX compliance efforts."
Teamstudio's original focus was on Notes developers but last year expanded its scope to Notes and Domino administrators by refocusing some of its products to help the latter class of customers address compliance issues. "Developers are usually focused on one database," said Wetherbee. "Administrators are responsible for a lot of databases. In a compliance situation, you want something you can audit multiple databases with. Previously, our tools could be run on multiple databases through some additional programming, but we wanted to make it easier for the administrator."
For instance, the company offers another product, called Teamstudio Analyzer, that allows an administrator to set preset filters that will run over a database design and check for specific compliance issues, whether related to SOX or simply company or design standards.
Another compliance issue is that SOX language can be highly open to interpretation. "Sarbanes-Oxley is evolving, and there's no end to the extent that it can be interpreted," said Sanjay Anand, executive vice president of CLA Solutions Assurance Systems, in Clifton, N.J., a consulting firm that performs SOX consulting, assessment and training. He is the editor of the book The Sarbanes-Oxley Guide for Finance and IT Professionals. "It is an act of legislation that's going to continue to evolve as it becomes more mainstream in the business world," he said.
As an example, he points to Section 490 of the SOX Act. Section 404 concerns internal control from a finance and business process standpoint. Section 490 calls for real-time reporting of material events. But, Anand asked, "What is a material event? What is real-time reporting? Does real-time mean immediately? Does it mean Monday?" According to Anand, the short answer to those questions is "what is reasonable for that corporation," and the long answer is it becomes "a conversation point between external auditors and internal auditors."
Ultimately, says Anand, SOX is essentially a best business practices regulation, but one that has created a cottage industry for the vendor community. The message of his book, he said, is that "eighty percent of the companies out there have 80% of the technology they need to be SOX-compliant. For many of them, the remaining 20% may simply need to upgrade their storage from RAID disks to SAN or WAN, or switch from spreadsheet to reporting facilities in their ERP system or simply integrate the necessary components. In fact, he said, integration, particularly in enterprise systems such as ERP, may be a bigger challenge than storage or tracking, because it affects financials in so many ways. When it comes to SOX compliance, he said, "The devil is in the details."
--With additional reporting by Jack Vaughan