| -link"> | | | | compliance with Sarbanes-Oxley Section 404; they |
| The Sarbanes-Oxley Act of 2002 and associated | | | | are also taking a giant step in the right direction with |
| rules adopted by the Securities and Exchange | | | | regards to overall email security. |
| Commission (SEC) require certain businesses to report | | | | Effective Email Controls |
| on the effectiveness of their internal controls over | | | | Email has evolved into a business-critical application |
| financial reporting. Effective internal controls ensure | | | | unlike any other. Unfortunately, it is also one of the |
| information integrity by mandating the confidentiality, | | | | most exposed areas of a technology infrastructure. |
| privacy, availability, controlled access, monitoring and | | | | Enterprises must install a solution that actively enforces |
| reporting of corporate or customer financial | | | | policy, stops offending mail both inbound and outbound |
| information. Companies that must comply with | | | | and halts threats before internal controls are |
| Sarbanes-Oxley include U.S. public companies, foreign | | | | compromised, as opposed to passively noting |
| filers in U.S. markets and privately held companies with | | | | violations as they occur.An effective email security |
| public debt. U.S. companies with market cap greater | | | | solution must address all aspects of controlling access |
| than $75M and on an accelerated (2004) filing deadline | | | | to electronically stored company financial information. |
| are required to comply for fiscal years ending on or | | | | This includes access during transport as well as |
| after Nov. 15, 2004. All others are required to comply | | | | access to static information resident at the company |
| for fiscal years ending on or after April 15, 2005. | | | | or on a remote site or machine. Given the wide |
| The role of email in Sarbanes-Oxley compliance | | | | functionality of email, as well as the broad spectrum of |
| cannot be overstated. At a high level, email is the | | | | threats that face email systems, ensuring appropriate |
| primary internal and external communication tool for | | | | information access control for all of these points |
| corporations. However, a more granular inspection of | | | | requires: |
| email’s role, especially as pertaining to corporate | | | | - A capable policy enforcement mechanism to set |
| information security, reveals that it can make or break | | | | rules in accordance with each company’s |
| a company’s efforts to comply with | | | | systems of internal controls; |
| Sarbanes-Oxley. Email systems are critical to ensuring | | | | - Encryption capabilities to ensure privacy and |
| effective internal control over financial reporting, | | | | confidentiality through secure and authenticated |
| encryption of external messages and active policy | | | | transport and delivery of email messages; |
| enforcement, all essential elements of compliance. | | | | - Secure remote access to enable remote access for |
| Complying with Sarbanes-Oxley | | | | authorized users while preventing access from |
| The changes required to ensure Sarbanes-Oxley | | | | unauthorized users; |
| compliance reach across nearly all areas of a | | | | - Anti-spam and anti-phishing technology to prevent |
| corporation. In fact, Gartner Research went so far as | | | | malicious code from entering a machine and to |
| to call the Act the most sweeping legislation to | | | | prevent private information from being provided to |
| affect publicly traded companies since the reforms | | | | unauthorized parties |
| during the Great Depression. Since the bulk of | | | | For years, corporations addressed their various email |
| information in most companies is created, stored, | | | | security needs through a mixture of third-party |
| transmitted and maintained electronically, one could | | | | software solutions designed to address specific |
| logically conclude that IT shoulders a lion’s share | | | | areas of vulnerability. Today, however, this approach is |
| of the responsibility for Sarbanes-Oxley compliance. | | | | ineffective. New amorphous threats adapt to even the |
| Enterprise IT departments are responsible for ensuring | | | | latest security technology, helping hackers and |
| that sound practices, including corporate-wide | | | | spammers stay a step ahead of most stand-alone |
| information security policies and enforced | | | | protective measures. System administrators remain in |
| implementation of those policies, are in place for | | | | a reactionary mode, waiting for the next attack and |
| employees at all levels. Information security policies | | | | hoping their mixed bag of security software is up to |
| should govern: | | | | the test. The new challenges posed to email security |
| - Network security | | | | demand a new approach that protects enterprises |
| - Access controls | | | | from all types of malicious attacks. Enter |
| - Authentication | | | | CipherTrust’s IronMail. |
| - Encryption | | | | IronMail and Sarbanes-Oxley |
| - Logging | | | | CipherTrust’s IronMail has been created to |
| - Monitoring and alerting | | | | protect organizations from both known and unknown |
| - Pre-planning coordinated incident response | | | | email security attacks. IronMail offers automatic or |
| - Forensics | | | | manual updates to protect against both known and |
| These components enable information integrity and | | | | newly discovered email security threats and |
| data retention, while enabling IT audits and business | | | | vulnerabilities, and the comprehensive messaging |
| continuity.In order to comply with Sarbanes-Oxley, | | | | security provided by IronMail assists organizations in |
| companies must be able to show conclusively that: | | | | key areas of maintaining effective internal controls. |
| - They have reviewed quarterly & annual financial | | | | Specific financial information threats and vulnerabilities |
| reports; | | | | protected by IronMail include: |
| - The information is complete and accurate; | | | | - Viruses, worms, and other malicious code |
| - Effective disclosure controls and procedures are in | | | | - Internal users and external hackers attacking email |
| place and maintained to ensure that material | | | | systems |
| information about the company is made known to | | | | - System failures from malicious attacks that can lead |
| them. | | | | to subsequent legal liabilities |
| Sarbanes-Oxley Section 404 | | | | - Unintentional or malicious information access or |
| This section regulates enforcement of internal controls. | | | | exposure |
| Management must show that it has established an | | | | IronMail provides a comprehensive solution to the |
| effective internal control structure and procedures for | | | | Sarbanes-Oxley information integrity requirements as |
| accurate and complete financial reporting. In addition, | | | | they relate to protecting corporate financial information |
| the company must produce documented evidence of | | | | that is transmitted and stored via email. Everything |
| an annual assessment of the internal control | | | | from message privacy/encryption to email firewall and |
| structure’s effectiveness, validated by a | | | | intrusion protection to content filtering is included in the |
| registered public accounting firm. By instituting effective | | | | IronMail solution. |
| email controls, organizations are not only ensuring | | | | |