Q

Does SOX provision email archiving?

Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention.

Are there specific provisions contained within the Sarbanes-Oxley Act (SOX) regarding the retention/archiving of email communications? How long should email messages be retained?
The bad news about SOX and most other regulations is that they lack specificity about what meets the spirit of the regulation. Basically, SOX mandates the implementation of strong financial controls to ensure that malfeasance doesn't happen. It doesn't specify what that means from a security standpoint (besides nebulous concepts like separation of duties).

Many organizations have adopted the COBIT framework to guide their security program for SOX, since many auditors

have informally deemed that framework broad enough to ensure strong financial controls.

Regarding email retention, SOX section 802 requires that organizations retain auditing information for a minimum of seven years. This includes electronic records, which presumably encompasses email, thus enterprises are best off retaining email for at least seven years. This will also help with emerging e-discovery regulations, which also mandate that electronic information be available for several years.

More information:

This was first published in March 2008

Dig deeper on Sarbanes-Oxley Act

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close