You are in:
Achieving Compliance with Email Archiving
By Dave Hunt, CEO, C2C Systems
One major reason for organisations looking to archive email is the increasing need to comply with regulations concerning its retention and recovery upon demand. A major objective of email archiving is to help to maintain email performance at times of ever-growing volumes, but an immediate priority for many organisations is to reduce risk associated with email, in these increasingly regulated times.
Compliance is driven by various governmental and industry regulatory demands. Legislation commonly calls for retention periods and may demand deletion after a certain term. The common requirement for many regulations is to record all emails relating to requisite subjects, departments or individuals, maintaining a secure and auditable copy of communications, this copy being inaccessible to the user but available for fast retrieval should it be required.
While regulatory compliance means different things to organisations in different industries, countries and sectors, there is a common theme; that of copying emails to a secure archive.
Translating regulatory requirements
It’s a myth that there are “compliant” solutions you can just buy off the shelf. It’s up to your organisation to translate the applicable regulatory requirements into processes and find out which IT solutions can help you reach your goals; only then can they be combined in a way to help you comply.
So, what regulations apply to your organisation? There may be hundreds of different and often conflicting requirements to be met already, and an expectation of more to come, for Europe at least. For example, employment regulations might require you to copy all emails from the HR department regarding employees onto a secure archive and keep them for 3 years - then delete them. Legislation at company level might require all of the Board’s email to be saved for longer.
Your internal policies might dictate an alternative approach for (say) your sales team - keep all their emails with 'quote' in the title or text for 90 days in a common team archive. If this is held on a fast retrieval storage medium for 3 months, then it may be appropriate to transfer the archive onto cheaper and slower longer-term storage before deleting after a year.
To meet regulatory requirements, the key is to find an archiving solution that is flexible to your needs, yet is built from the core to maintain e-mail integrity: it may prove insufficient to copy the email into another ‘compliance’ system as the messaging integrity could be broken. Regulations almost certainly require that any record (including e-mail), when retrieved, can be reproduced, viewed, and manipulated in the same manner as the original. When time comes for regulatory audits, you won’t want e-mails challenged for lack of authenticity.
Tracking and Searching
It’s also important to understand why back-up of email isn’t enough to meet regulatory requirements. The fast indexing and search for retrieval of email is inherent to true archiving solutions. When you need to track down email, you’ll no doubt need to search millions of messages and their contents in a restricted time-frame. Back-up just doesn’t allow for this to happen – true archiving solutions are built for the writing away and retrieval of high volumes of email, maintaining full indexes and audit trails which would stand up in a court of law.
Another point to remember is that searching and retrieving messages within a prescribed time-frame is virtually impossibly to do manually; when the requirement is to retrieve an email out of millions within (say) 48 hours, this does not mean “give the request to the IT department and they must present the data within 48 hours”. This almost certainly means “your company has 48 hours in which to present the data”, so you need to get the data to the lawyer who probably needs to set it out in the context of the case and to present that within 48 hours. Realistically, the IT dept probably needs to find the data within an hour! This implies the need for a fully flexible, well managed system.
What about storage?
Compliance indisputably means storing more email. The key for the storage manager is to do this within available resources: to work out how the need to save and manage more and more email can be fitted in with the storage infrastructure and strategy already undertaken - and do so without blowing the budget on these often unforeseen storage expenses.
The obvious approach is to make the most of the storage infrastructure you have by ensuring the appropriate email can be archived to the most appropriate media for optimal cost and accessibility.
Integration
It’s important to integrate the archival process with the storage management software or direct storage media that you have in place - archiving is a process, it's no good setting up the archiving solution then discovering it doesn't work with the storage software you already have. It is also essential not to waste space – compress an email so you make the most of the storage capacity that you have, not only in the archive but on the email servers too.
Follow these guidelines when you're looking for a solution, and you'll find that you don't have to abandon some good common sense and the worlds of storage and email archiving for compliance really don't have to be a million miles apart.
