View
214
Download
0
Category
Preview:
Citation preview
Demystifying Regulatory Compliance with GroupWise
Greg M. Smith, Director of Technical Services, Messaging Architectsgreg.smith@gwtools.com
Gregg Hinchmanwww.HinchmanConsulting.com
© February 9, 2004 Novell Inc.2
Messaging Architects – Quick Intro…
For over 8 years, a leading developer of innovative applications products that help Enhance, Secure, and Accelerate GroupWise®.
World class development and engineering resources dedicated to Messaging & Collaboration.
A Trusted Advisor that can assist with planning, deploying, managing and supporting mission-critical Email systems & applications.
© February 9, 2004 Novell Inc.3
Agenda
Overview
Data Retention Necessities
GroupWise Archive Architecture
Deploying GroupWise Archives
Solutions from the Trenches
© February 9, 2004 Novell Inc.4
Some Sobering Facts…
StorageThe average user will attempt to retain/store 500 MB of messages this year
VolumeIDC projects 33 billion MPD in 2005, up from the current 23 billion
CostThe White House spent $10M to recover 246K messages from 4,900 backup tapes
© February 9, 2004 Novell Inc.5
Some Sobering Facts...
KnowledgeIDC reports that 60% of business critical information is stored in email systems.
Access
80% of archived data is not accessible in a timely or cost effective manner, impacting the organization's performance & productivity.
BackupsRestoration from tape is not always a certainty, information is often lost or requires substantial effort to recover.
© February 9, 2004 Novell Inc.6
Driving Factors
Storage Management Concerns
Regulatory Compliance
Legal Litigation
Why to Manage Data
© February 9, 2004 Novell Inc.7
Typical Solutions
Delete Everything29%
Save Everything21%
Don't Know42%
Other8%
© February 9, 2004 Novell Inc.8
Typical Solutions
• May contravene existing health & employment legislation
Delete Everything
Retain Everything
• Ensures compliance to unknown requirements• Increases storage and unnecessary liability
Don’t Know
• Why some of you are here
© February 9, 2004 Novell Inc.9
Existing Legislation
Driving Factors
HR & Employment Records Employment Act National Labour Relations Act Fair Labour Standards Act Americans with Disabilities Act Civil Rights Act of 1964
Organizations must maintain strict process separation or retain electronic documents
Health & Safety Occupational Health & Safety Act
Toxic Substances Control Act
© February 9, 2004 Novell Inc.10
Mandatory Compliancy
Who is affected?
Broker/Dealer (Brokerage)
Transfer Agent
Investment Company (Mutual Funds)
Investment Manager/Advisor
17 CFR 240, 17a-3, 17a-4
17 CFR 240, 17Ad-7f
17 CFR 270
17 CFR 275
Financial Sector
© February 9, 2004 Novell Inc.11
Financial Compliancy
SEC 17a-3, 17a-4, NASD 3010
3 Year Records Retention of all Correspondence
Storage of records on serialized non-erasable media
Records must be duplicated
Records & Indexes must be downloadable and available to the SEC at all times
Provide message sampling and auditing
© February 9, 2004 Novell Inc.12
Mandatory Compliancy
Sarbanes - Oxley
Created in the wake of major Scandals such as Enron
Relates to Financial Statements
Validation of processes and statements
Makes C-Level executives liable
Defines Penalties
© February 9, 2004 Novell Inc.13
Sarbanes-Oxley
Who is affected?
Firms Issuing Securities traded on US Security Markets
Firms reporting Public Financial Statements
Privately Held firms looking to go Public
© February 9, 2004 Novell Inc.14
Sarbanes-Oxley
What needs to be Kept?
Email retention is not specifically defined by SO
Audit controls, papers & reports are to be saved for 7 yrs
Email retention in support of regulated financial and accounting practices and reporting
© February 9, 2004 Novell Inc.15
Mandatory Compliancy
HIPAA (Health Insurance Portability an Accountability Act)
Health Insurance Portability and Accountability Act
Applies to Healthcare Organizations Healthcare Providers/Health Insurance/Claims Processing
Primarily Addresses Privacy and Security of PHI
Managing or Auditing of emails containing PHI
© February 9, 2004 Novell Inc.16
Mandatory Compliancy
Pharmaceutical Industry
Governed primarily by FDA
Code of Federal Regulations Title 21 CFR Part 11 Addresses handling of predicate documents in electronic format
Targets organizations wishing to convert to electronic processes
Covers controls, access, security and accountability
FDA Currently revising its Compliance Guidelines
© February 9, 2004 Novell Inc.17
Mandatory Compliancy
DoD 5015.2Covers all Agencies of the Department of Defence
Based on Government Document Retention from NARA
Comprehensive and Complex process for Electronic Docs
Classification / Storage / Retention / Destructon
Solutions require DoD 5015.2 Certification Process
© February 9, 2004 Novell Inc.18
Local Government
LegislationNew Legislation
Florida – Statute 119 Florida Sunshine Law
Existing Legislation Public Record Laws State Archival Laws
Public Access to Information is number one driving requirement
© February 9, 2004 Novell Inc.19
Personal Archiving
Is e-mail stored on the local workstation GroupWise Archives? GroupWise
Remote/Caching
Is e-mail deleted corporately but retained by user?
Is this local e-mail backed up? What would be the costs to recover?
Local Storage
Corporate Destruction Policy with Local User Exceptions does not limit Legal Liability
© February 9, 2004 Novell Inc.20
Employing Retention Solutions
© February 9, 2004 Novell Inc.21
Where to Start?
Statutory, Regulatory or Compliancy Requirements?
Penalties for non-compliance
Developing Retention Policies• Trusted Empowerment • Big Brother Enforcement
Developing Solutions to Meet Retention Policies
Managing Solutions (Retention & Destruction)
© February 9, 2004 Novell Inc.22
GroupWise as a Compliancy Platform
Retaining Information within GroupWise– Smart Purge Feature for 100% retention– Store Information on System or Tape– Disabling Personal Archiving– Reduce & Expire Routines for Data destruction
Maintaining Individual Account Repositories– Administrative or Individual Searching– Creating global proxies
Creating Single Account Repositories– Forwarding all messages to common accounts
© February 9, 2004 Novell Inc.23
GroupWise as a Compliancy Platform
Retaining Information within GroupWise– Databases – No individual message storage– Large volume of messages impacts system– Information is stored in proprietary format
Maintaining Individual Account Repositories– No default administrative access to accounts– Proxies are end user controlled
Creating Single Account Repositories– Single account message limitations
© February 9, 2004 Novell Inc.24
GroupWise as a Discovery Platform
Accounts searched Individually or via Proxy• Searching consumes network resources• Advanced Boolean & Wordlists are complex• Cannot Search the contents of attachments• Reliability of Indexes or QF Enabled
Message Presentation• Save individual emails to text file• Forward emails to another account• Print out all emails
Substantial Costs to extract and retrieve information from GroupWise
© February 9, 2004 Novell Inc.25
Third Party Solutions
• Independent Message Storage Formats• Provides Global Accessibility• Timely Enquiry Response• Compliance with Regulations
• Loss of original message status• Management of additional systems• Additional Storage Requirements
Solutions inevitably cheaper than fines or maintaining compliancy through GroupWise
GWArchive Solutions from the Field
© February 9, 2004 Novell Inc.27
The Talent
Gregg A. Hinchman
• Collaboration Practice Manager, Tenacious Integration Services
• 10+ years of GroupWise Experience• Co-Author:
– “Success with Clustering GroupWise” – www.TayKratzer.com
– “Success with GroupWise Document Management”
– GroupWise Advisor Magazine Articles
© February 9, 2004 Novell Inc.28
The Issue
The FUND CompanyManages Mutual FundsSEC RegulatesDocument absolutely every transactionMust save all emailMust be able to produce email quickly
© February 9, 2004 Novell Inc.29
The Solution
GWArchive •Archive email older than 180 days•Users cannot delete until email is Archived• Archives are stored centrally on a SAN• Publish all email to XML format
© February 9, 2004 Novell Inc.30
In Conclusion
Email Retention is clearly a major concern at all levels of industry and government
GroupWise & GroupWise archives provide a viable method of retaining corporate messages and complying with organizational policies, but with clear limitations
Application-independence and format-neutrality (i.e. XML + plain text) are critical attributes for any data destined to reside in long term storage (5+ years).
Third party tools allow organizations to properly deploy and manage both retention/deletion policies and the resulting data sets that are generated as a result of these policies.
© February 9, 2004 Novell Inc.32
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
Recommended