White PapersAs email has grown into the preferred method of business communications, email servers and inboxes have become the de-facto means of information storage within organizations. However, unlike database systems, email systems do not have sophisticated capabilities for long-term storage or rapid retrieval.
In most organizations, email “storage management” doesn’t extend much beyond basic server tape backup and restore for limited time periods. When old files must be found, retrieving the data consists of time-consuming, offline hunt-and-peck searches through multiple backup tapes. With long-term email retrieval so painful, it’s no wonder employees keep months or even years worth of important emails on their PC hard drives or in their server inboxes until hounded to clean out their allotted storage space. The result is terabytes of duplicate, scattered, isolated or virtually irretrievable but valuable company information.
Executive SummaryEmail dominates business communications today, and government and regulatory agencies have been quick to recognize its importance as a category of business records and take steps to safeguard its content and regulate its use. Yet business organizations have been slower to recognize both the value of electronic communications as an information asset and the substantial risks posed by poor management and protection. This paper explains the importance of archiving electronic communications such as email and instant messaging (IM) and describes how an organization s Legal, Human Resources (HR) and Information Technology (IT) departments can work together to create, uphold, and maintain electronic record retention best practices. The paper explains why organizations must carefully evaluate in-house and managed service archiving solution options. They paper concludes by explaining why Postini is uniquely fitted to serve as your company s electronic communications record retention arm, introducing key benefits of the Postini Archive Manager managed service." Human Resources personnel who need to archive personnel records such as employment applications and history, resumes and company records as well as providing oversight to the enforcement of internal use policiesWhy You Need to Archive Email and IMAs email has grown into the preferred method of business communications, email servers and inboxes have become the de-facto means of information storage within organizations. However, unlike database systems, email systems do not have sophisticated capabilities for long-term storage or rapid retrieval. In most organizations, email storage management doesn t extend much beyond basic server tape backup and restore for limited time periods. When old files must be found, retrieving the data consists of time-consuming, offline hunt-and-peck searches through multiple backup tapes. With long-term email retrieval so painful, it s no wonder employees keep months or even years-worth of important emails on their PC hard drives or in their server inboxes until hounded to clean out their allotted storage space. The result is terabytes of duplicate, scattered, isolated or virtually irretrievable but valuable company information.But things are beginning to change. Three main factors are driving the adoption of effective, efficient email and IM archival and retrieval:" Regulatory compliance" Legal readiness for e-discovery" Records retention for business continuance An Effective Approach to Electronic message Archiving Postini White Paper1Untitled Document2POSTINI ARCHIVE MANAGERRegulatory Compliance Government agencies and industry watchdogs such as the Security and Exchange Commission (SEC) have developed strict regulations governing the treatment, storage and retrieval of electronic communications. These regulatory bodies can and do impose substantial penalties if organizations cannot demonstrate compliance during an audit. In one sobering example, the SEC pursued major financial institution, J.P. Morgan, for its illegal manipulation of financial records and lack of supporting documents 2 J.P. Morgan was fined for non-compliance of Section 308, of the Sarbanes-Oxley Act 2002 and was ordered to pay 135 million in disgorgement, penalty and interest.As the respected telecommunications market research firm, The Radicati Group notes, For many companies today, compliance is no longer a choice, but rather an unavoidable responsibility. If a company is not retaining and managing its electronic records promptly, its top executives can be put behind bars for up to 10 years. 3 Legal Readiness for e-Discovery In the course of any company s lifespan, disagreements, disputes, and even lawsuits are going to arise with customers, employees, ex-employees, AllAccounting FirmsHealthcareBrokerageSarbanes-Oxley Act of 2002Fair Labor Standards Act, National Labor Relations ActEmployee Retirement Income Security Act of 1974Americans with Disabilities ActOccupational Safety and Health Act Title VII of the Civil Rights Act of 1964Sarbanes-Oxley Act of 2002SEC 17 CFR Part 210HIPAAMedicare Conditions of ParticipationSEC Rule 17a-3 and 17a-4NASD 3110NASD 2860(b)(17)Table 1: Summary of Major U.S. Regulations Governing Corporate Records: 12 E-mail Archiving RulesAll records, including e-mails and other electronic records, must be kept for at least five years.Certain HR records must be kept for three years.Any correspondence, inquiries or notes relating to individual eligibility determinations must be retained indefinitely. Wage and hour records for the purpose of determining retirement benefits must be kept indefinitely or six years following the date of lump sum distribution.Personnel records of employees who are involuntarily terminiated must be saved for one year from the date of termination.Records of legally required medical examinations must be retained for the duration of employment plus 30 years. Personnel records concerning any discrimination charge brought by any agency or individual must be stored until final disposition.All audit-related documentation must be retained for five years following the end of the fiscal period during which the audit or reviewwas finalized.Workpapers and other documents related to audits of financial statements must be retained for seven years.A variety of e-mails and documents including contracts with business associates, documents related to policies and procedures, communications from patients who want to modify the information held by a healthcare provider, authorizations and consumer complaints much be kept for six years. Hospitals must retain medical records for five years. Rural health clinics must maintain medical records for six years.Some business records must be kept for at least three years, the first two years in an accessible place, including memos, e-mails and other correspondence. Enforces SEC Rule 17a-3 and 17a-4A central log, index or other file must be kept for all options-related complaints, through which these complaints can easily be identified and retrieved. Affected Industry Rules Basic RequirementsUntitled Document3POSTINI ARCHIVE MANAGERvendors, or stockholders. Regardless of who instigates the action, both parties are required to provide evidence proving their claims, and increasingly that body of evidence is found in external and internal email trails collected or obtained by either side. Last year, the federal judiciary distributed guidelines governing e-discovery , the exchange of electronic information in litigation proceedings. In response, the American Bar Association e-Discovery Task Force has warned lawyers that databases, networks, computer systems, servers, archives, backup and disaster recovery systems, laptops, personal digital assistants, mobile phones and pagers can all be considered possible e-discovery sources.Companies must be prepared to produce email records that either back their arguments or refute the opposing side s arguments. Since email messages can be doctored, companies must also be prepared to verify the integrity of their email files and retrieval process or risk the chance they will be deemed inadmissible evidence in court proceedings. Companies must also be able to provide evidence if they contend that their opponents tampered with email content.Digging through records stored in PC hard drivers, email servers and backup tapes to produce the needed evidence can take considerable time and effort, whether performed by inhouse staff or by expensive third-party document retrieval experts. Records Retention for Business ContinuanceBecause of its constant, pervasive use, much of an organization s body of knowledge, historical record, and intellectual property reside in email message stores, and to a lesser extent, on employee computers.An extended email system failure can seriously impact the operation of any organization, and companies must develop and implement programs and procedures to proactively guard against the risks due to a catastrophic loss or system failure. An efficient system for offsite electronic communications archive and retrieval can effectively counteract these risks.Best Practices for Electronic Communications Archiving Once executive management understands the importance of archiving electronic communications and is ready to support and fund any mandates, three key functional business units Legal, HR, and IT need to work together to design and implement a system that meets compliance, e-discovery preparedness and business continuance needs. " It is the Legal department s responsibility to draft policies for record archival based on compliance regulations and federal and state laws, and to define search and discovery policies and procedures in the event of an audit or lawsuit. Legal should also schedule periodic internal audits to ensure policies are being adhered to and compliance obligations are being met." It is the HR department s responsibility to assist Legal in developing record retention policies and enforcing them. HR also needs to educate employees on the importance of comprehensive record retention and the liabilities associated with failure to comply. Finally, HR should provide clear instructions for carrying out company-wide record retention policies." It is the IT department s responsibility to set up an infrastructure that will support its organization s electronic communications retention policies. IT also needs to ensure that the system is protected with granular security controls and authentication procedures to meet compliance, e-discovery and best practices standards.What to Look for in an Email and IM Archiving SolutionDeveloping a really effective electronic communication archival system is beyond the abilities of most mid-sized organizations. Why? Consider the critical components. ScalabilityFor sheer volume, it s hard to think of anything that beats email generation. Based on years of experience, Postini estimates that an organization of 500 email users typically generates an average of 50 sent and received messages per user, per day approximately 25,000 messages daily. It s easy to see why an archival system must be able to store vast amount of data for extended periods of time. Incoming, outgoing and internal email and IM messages plus indexes and attachments all must be captured and stored. Since spam now comprises up to 88 percent of email messages in the U.S. , the system must be able to quickly and accurately siphon out junk mail before the data is archived to limit the significant storage costs. SecurityTo meet strict legal evidence handling and industry watchdog regulations, an archival Untitled Documentsystem must build in rock-solid defenses against tampering and access by unauthorized users. Audit and surveillance mechanisms that document access request and retrieval activity must also be in place to safeguard or authenticate the integrity of the entire system.Powerful Search EngineThe key capability of an archival system is its ability to retrieve specific threads of information rapidly and accurately. Email messages must be thoroughly indexed by date, recipient, sender, subject line, and content so users can quickly and efficiently search for the information they need.Flexible, Accurate ArchivingThe archive system must be able to support Legal and HR archive policies that can vary with the nature of the information and by the functional group. Policy compliance should not be left to individual discretion, so the archival system must be run automatically and be enforced at the system level. In addition, search capabilities must be flexible enough so authorized users can search stored data based on key words, subject, date, and industry-standard fields.High AvailabilityGiven the business-critical nature of electronic communications, the archival system must be able to continue to operate uninterrupted during an email system failure. This capability requires a highly redundant, distributed infrastructure that is far too costly for organizations to create and maintain. AffordabilityTo implement an archival system, companies must consider the total cost of ownership upfront implementation costs as well as ongoing support and maintenance costs. An average project can run hundreds of thousands, if not millions of dollars, depending on the robustness of the archival system. A typical in-house archiving implementation can run upwards of 100,000 for a 100-user license server. This amount does not include professional services and maintenance costs, both of which can drastically increase the total cost of ownership. Postini s Managed Service ApproachPostini is a recognized global leader in integrated message management, with six and a half years of experience in the industry. Postini products have consistently won awards from leading 4POSTINI ARCHIVE MANAGERFigure 1: Postini Archive Manager Service ArchitectureUntitled Document5POSTINI ARCHIVE MANAGERresearch firms and publications such as Frost & Sullivan, PC Magazine and NetworkWorld. Founded in 1999, Postini protects and manages electronic communications for more than 35,000 businesses worldwide.Postini understands the growing regulation compliance, e-discovery and business continuity challenges organizations face and has developed a powerful yet cost-effective managed service for archiving electronic communications. Postini Archive Manager is the latest component of the Postini Integrated Message Management Service Architecture.With this new service, Postini is delivering on its promise to provide a complete solution within its Integrated Message Management system. The company has already demonstrated proven performance in spam and virus blocking and email system continuance support during disasters or outages, so it s a natural progression to extend infrastructure, expertise, and capabilities to support electronic message archiving.How Postini Archive Manager Works Building on established technology, Postini s multi-layer virus and spam filtering engines filter inbound email; Filtering significantly reduces the message bulk for faster search and discovery. Postini Archive Manager also captures outbound, and intradomain (journaled) email messages, as shown in Figure 1.Inbound Email Before reaching a customer s network, all inbound messages pass through Postini s Sender Behavior Analysis and Security Suite. This multilayer virus and spam filtering technology isolates and disposes of unwanted and malicious content according to customer preferences. The software suite then analyzes valid messages for content and attachment rules and notifies the customer s IT staff of any violations. Valid email and attachments are analyzed using specific content and attachment policies, and the scrubbed email is indexed and stored in the Postini archiveOutbound Email As messages flow out from a customer s network, Postini s Outbound service scans them for viruses, content and attachment policies. Postini Archive Manager then copies the messages that were delivered, indexes them, and stores them in the archive.Intradomain EmailPostini Archive Manager can also capture and index all intradomain email messages, messages that users send within the company that never leave the corporate network. The IT staff simply sets up the journaling option on their email servers, which creates a copy of all intradomain messages and automatically forwards the journaled messages to their Postini data archive.StorageThe Postini Archive Manager captures incoming, outgoing, and intradomain email messages, IM sessions, and attachments, and archives them in redundant, immutable (unchangeable) data storage facilities. As these messages flow into the archive, Archive Manager applies comprehensive content indexing to enable simple, dynamic searching and data export. Business-critical data is protected with WORM (write once, read many) technology to ensure that files cannot be rewritten or erased during the retention period. Customers can select data retention periods in accordance with specific regulations or internal policies. Archive Manager automatically deletes messages at the end of the month in which their retention period expires. However, in the event that customers need to retain messages after their expiration date, they can easily apply a records hold to temporarily prevent deletion of the data.DiscoveryPostini Archive Manager has flexible authorization and access options at both the user or group level. Customers can specify which users are authorized to perform search and discovery tasks and which users can make modifications to the Archive Manager parameters.Authorized users have access to powerful search options that support industry-standard search fields and wildcard options. They can retrieve messages based on a date range, sender, recipients, subject, or content in the both the message body and in all attachments. Authorized users can also export all retrieved messages or just a subset of retrieved messages to an industry-standard mailbox format.To make data retrieval even easier, authorized users can take advantage of advanced search features such as the ability to find similar messages or display all exchanged communications. Users can also choose to resend messages, if necessary, for auditing or other purposes.ReportingIT staff can examine their organization s message storage environment, monitoring user access and records usage, and creating detailed reports that list archive size, age of messages, pending deletions, Untitled Document6POSTINI ARCHIVE MANAGERand other metrics. These valuable reports not only assist IT staff in managing electronic communications storage, they can also prove to be critical in demonstrating compliance for policy audits and reviews. Advantages of Postini s Managed Service Approach to ArchivingAs a managed service, Postini Archive Manager offers several advantages over inhouse solutions in meeting critical requirements for an effective electronic communication archival system. The archive service can be quickly deployed by Postini customers using a simple service activation option. There is no additional hardware or software to install or configure, and no staff or user training required.Secure and Private Storage Postini understands that the security and privacy of sensitive corporate information is of paramount concern to its customers. Advanced WORM archiving technology preserves data in an immutable (non-rewritable, non-erasable) format. Once messages are sent, they cannot be altered at any point in the process.WORM technology also continues to verify the quality of the data once it has been archived. Because all storage media has a shelf life, software probes continuously check to see if disk drives are operating properly and stored data is intact. The technology also serializes the original archival data and any duplicates of the data with time-date stamps. Once the original archive date is recorded, data life spans can be set to prevent data can being before erased before its time limit. The system also logs each search and access message request, so IT staff can track archived data access requests. To ensure privacy, access controls are only set by Postini engineers at the Postini data center at the specific request of authorized, authenticated company employees.Powerful Indexing, Management and Search ToolsBecause the key capability of an archival system is its ability to retrieve specific threads of information rapidly and accurately, Postini invested much time and effort developing powerful yet easy to use data search and retrieval capabilities. Authorized employees and or agency personnel can search through archived records rapidly and efficiently. With Postini Archive Manager, all email and IM can be indexed, archived, and retrieved based on email content or by specific accounts or users. Messages and attachments are indexed by date, range, sender, recipient, subject, content, and metadata, which is essential to forensic discovery. Authorized users can review message content and find messages with related subject content, or part of a particular thread, even if spun off to a series of different recipients from the original message. These features significantly enhance the ability to discover patterns of behavior and identities of all involved parties. Needed data is exported in MBOX format, an industry-standard file format that is easily imported into any email system, or database, word processing or spreadsheet application.Flexible Archiving Postini Archive Manager service works with all existing message and storage systems, so there is no need to devote time and effort integrating yet another system. Companies can choose any combination of email and IM capture: inbound mail, inbound and outbound mail, outbound mail, or inbound, outbound, and intra-domain mail. Additional options allow IT staff to capture email and IM from only selected organizations or individuals. Disaster-Proof System Postini has built a highly redundant and available email archive system. To guard against any single point of failure, all archived electronic communications are archived and mirrored on RAID-protected disks in one Postini data center and then replicated at two separate remotely located data centers. Archiving occurs during in-stream message processing, so there is no delay in message storage and no potential for loss. Messages are indexed and archived for immediate search access. Affordable SolutionWith Postini s managed service, there is no need to purchase additional storage hardware or software to create the system, or devote additional IT resources and equipment budget to continually maintain, upgrade, and expand the archival system components. Postini takes care of it all for a predictable monthly fee based on users, not data volume, and offers flexible payment options. And since Postini removes all unwanted mail first before archiving, customers don t waste time and money sorting through worthless email records.Untitled Document7POSTINI ARCHIVE MANAGERConclusionIncreasing regulatory compliance, e-discovery legal readiness, and business continuance concerns are forcing organizations to seriously evaluate their outdated records retention storage processes. Organizations are then faced with selecting an effective, efficient email and IM archival and retrieval solution among the many inhouse and outsourcing options available to them.As one of the most respected names in the email and IM security arena, Postini brings considerable skills and expertise to creating an efficient, cost-effective message archive and retrieval solution. Its service offering, the Postini Archive Manager, helps companies offload the significant burdens associated with creating, maintaining, and managing an inhouse email and IM archival system. The managed service replaces additional staffing and training needs with an experienced, highly focused staff trained on best-practice processes created by experts in the field. It replaces potentially escalating capital and capacity planning costs with a predictable monthly operation expense. It replaces continual work interruptions with better inhouse manpower utilization and reduced management complexity.But don t just take our word for it. To find out more about Postini s managed service offerings, sign up for a webinar or arrange for a free product demonstration, visit the Postini web site at www.postini.com.Untitled DocumentCorporate HeadquartersSan Carlos, California USAToll-free 1-866-767-8461 Email info@postini.com Web Site www.postini.com Copyright 2006 Postini, Inc. All rights reserved. WP37-01-0512Postini, the Postini logo and Postini Perimeter Manager are registered trademarks or service marks of Postini, Inc. preEMPT is a trademark of Postini, Inc. All other trademarks listed in this document are the property of their respective owners.INTEGRATED MESSAGE MANAGEMENTEMEA HeadquartersLondon, UK Tel +44 (0)207 082 2000Email info_emea@postini.comAbout PostiniPostini is the global leader in Integrated Message Management, providing security, compliance, availability, and visibility solutions for corporate email and instant messaging systems. Postini s messaging services are designed to protect businesses from a wide range of IM and email threats, address regulatory compliance requirements, and enable the management and enforcement of enterprise policies. Protecting electronic communications for more than 35,000 businesses worldwide, Postini provides comprehensive, flexible, and trusted managed services for message security and management.References:1. U.S. Security and Exchange Commission, June 2003, SEC Settles Enforcement Proceedings against J.P. Morgan Chase and Citigroup.2. Postini web site, www.Postini.com
