Demystifying Regulatory Compliance with GroupWise Greg M. Smith, Director of Technical Services, Messaging Architects [email protected] Gregg Hinchman

Demystifying Regulatory Compliance with GroupWise

Greg M. Smith, Director of Technical Services, Messaging [email protected]

Gregg Hinchmanwww.HinchmanConsulting.com

© February 9, 2004 Novell Inc.2

Messaging Architects – Quick Intro…

For over 8 years, a leading developer of innovative applications products that help Enhance, Secure, and Accelerate GroupWise®.

World class development and engineering resources dedicated to Messaging & Collaboration.

A Trusted Advisor that can assist with planning, deploying, managing and supporting mission-critical Email systems & applications.


Agenda

Overview

Data Retention Necessities

GroupWise Archive Architecture

Deploying GroupWise Archives

Solutions from the Trenches


Some Sobering Facts…

StorageThe average user will attempt to retain/store 500 MB of messages this year

VolumeIDC projects 33 billion MPD in 2005, up from the current 23 billion

CostThe White House spent $10M to recover 246K messages from 4,900 backup tapes


Some Sobering Facts...

KnowledgeIDC reports that 60% of business critical information is stored in email systems.

Access

80% of archived data is not accessible in a timely or cost effective manner, impacting the organization's performance & productivity.

BackupsRestoration from tape is not always a certainty, information is often lost or requires substantial effort to recover.


Driving Factors

Storage Management Concerns

Regulatory Compliance

Legal Litigation

Why to Manage Data


Typical Solutions

Delete Everything29%

Save Everything21%

Don't Know42%

Other8%


Typical Solutions

• May contravene existing health & employment legislation

Delete Everything

Retain Everything

• Ensures compliance to unknown requirements• Increases storage and unnecessary liability

Don’t Know

• Why some of you are here


Existing Legislation

Driving Factors

HR & Employment Records Employment Act National Labour Relations Act Fair Labour Standards Act Americans with Disabilities Act Civil Rights Act of 1964

Organizations must maintain strict process separation or retain electronic documents

Health & Safety Occupational Health & Safety Act

Toxic Substances Control Act


Mandatory Compliancy

Who is affected?

Broker/Dealer (Brokerage)

Transfer Agent

Investment Company (Mutual Funds)

Investment Manager/Advisor

17 CFR 240, 17a-3, 17a-4

17 CFR 240, 17Ad-7f

17 CFR 270

17 CFR 275

Financial Sector


Financial Compliancy

SEC 17a-3, 17a-4, NASD 3010

3 Year Records Retention of all Correspondence

Storage of records on serialized non-erasable media

Records must be duplicated

Records & Indexes must be downloadable and available to the SEC at all times

Provide message sampling and auditing



Sarbanes - Oxley

Created in the wake of major Scandals such as Enron

Relates to Financial Statements

Validation of processes and statements

Makes C-Level executives liable

Defines Penalties


Sarbanes-Oxley

Who is affected?

Firms Issuing Securities traded on US Security Markets

Firms reporting Public Financial Statements

Privately Held firms looking to go Public


Sarbanes-Oxley

What needs to be Kept?

Email retention is not specifically defined by SO

Audit controls, papers & reports are to be saved for 7 yrs

Email retention in support of regulated financial and accounting practices and reporting



HIPAA (Health Insurance Portability an Accountability Act)

Health Insurance Portability and Accountability Act

Applies to Healthcare Organizations Healthcare Providers/Health Insurance/Claims Processing

Primarily Addresses Privacy and Security of PHI

Managing or Auditing of emails containing PHI



Pharmaceutical Industry

Governed primarily by FDA

Code of Federal Regulations Title 21 CFR Part 11 Addresses handling of predicate documents in electronic format

Targets organizations wishing to convert to electronic processes

Covers controls, access, security and accountability

FDA Currently revising its Compliance Guidelines



DoD 5015.2Covers all Agencies of the Department of Defence

Based on Government Document Retention from NARA

Comprehensive and Complex process for Electronic Docs

Classification / Storage / Retention / Destructon

Solutions require DoD 5015.2 Certification Process


Local Government

LegislationNew Legislation

Florida – Statute 119 Florida Sunshine Law

Existing Legislation Public Record Laws State Archival Laws

Public Access to Information is number one driving requirement


Personal Archiving

Is e-mail stored on the local workstation GroupWise Archives? GroupWise

Remote/Caching

Is e-mail deleted corporately but retained by user?

Is this local e-mail backed up? What would be the costs to recover?

Local Storage

Corporate Destruction Policy with Local User Exceptions does not limit Legal Liability


Employing Retention Solutions


Where to Start?

Statutory, Regulatory or Compliancy Requirements?

Penalties for non-compliance

Developing Retention Policies• Trusted Empowerment • Big Brother Enforcement

Developing Solutions to Meet Retention Policies

Managing Solutions (Retention & Destruction)


GroupWise as a Compliancy Platform

Retaining Information within GroupWise– Smart Purge Feature for 100% retention– Store Information on System or Tape– Disabling Personal Archiving– Reduce & Expire Routines for Data destruction

Maintaining Individual Account Repositories– Administrative or Individual Searching– Creating global proxies

Creating Single Account Repositories– Forwarding all messages to common accounts


GroupWise as a Compliancy Platform

Retaining Information within GroupWise– Databases – No individual message storage– Large volume of messages impacts system– Information is stored in proprietary format

Maintaining Individual Account Repositories– No default administrative access to accounts– Proxies are end user controlled

Creating Single Account Repositories– Single account message limitations


GroupWise as a Discovery Platform

Accounts searched Individually or via Proxy• Searching consumes network resources• Advanced Boolean & Wordlists are complex• Cannot Search the contents of attachments• Reliability of Indexes or QF Enabled

Message Presentation• Save individual emails to text file• Forward emails to another account• Print out all emails

Substantial Costs to extract and retrieve information from GroupWise


Third Party Solutions

• Independent Message Storage Formats• Provides Global Accessibility• Timely Enquiry Response• Compliance with Regulations

• Loss of original message status• Management of additional systems• Additional Storage Requirements

Solutions inevitably cheaper than fines or maintaining compliancy through GroupWise

GWArchive Solutions from the Field


The Talent

Gregg A. Hinchman

• Collaboration Practice Manager, Tenacious Integration Services

• 10+ years of GroupWise Experience• Co-Author:

– “Success with Clustering GroupWise” – www.TayKratzer.com

– “Success with GroupWise Document Management”

– GroupWise Advisor Magazine Articles


The Issue

The FUND CompanyManages Mutual FundsSEC RegulatesDocument absolutely every transactionMust save all emailMust be able to produce email quickly


The Solution

GWArchive •Archive email older than 180 days•Users cannot delete until email is Archived• Archives are stored centrally on a SAN• Publish all email to XML format


In Conclusion

Email Retention is clearly a major concern at all levels of industry and government

GroupWise & GroupWise archives provide a viable method of retaining corporate messages and complying with organizational policies, but with clear limitations

Application-independence and format-neutrality (i.e. XML + plain text) are critical attributes for any data destined to reside in long term storage (5+ years).

Third party tools allow organizations to properly deploy and manage both retention/deletion policies and the resulting data sets that are generated as a result of these policies.


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Documents

Demystifying Regulatory Compliance with GroupWise Greg M. Smith, Director of Technical Services, Messaging Architects [email protected] Gregg Hinchman