
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Does SOX provision email archiving?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Does SOX provision email archiving?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 10 March 2008
Are there specific provisions contained within the Sarbanes-Oxley Act (SOX) regarding the retention/archiving of email communications? How long should email messages be retained?

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, Sarbanes-Oxley Act, COBIT, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Sarbanes-Oxley Act

SOX compliance burdens midmarket security teams

Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management

Information security book excerpts and reviews

Internal audits for Sarbanes Oxley and internal IT support

Internal auditors and CISOs mitigate similar risks

Implement security and compliance in a risk management context

Does password sharing in international branches violate SOX?

Consensus Controls project aims to set benchmarks for compliance

Security visualization helps make log files work

The Little Black Book of Computer Security, 2nd Edition

Sarbanes-Oxley Act Research

COBIT

Tony Spinelli: Prioritize Information Security over Compliance

Security survey finds increase in security standards adoption

Mix of Frameworks and GRC Satisfy Compliance Overlaps

GRC: Over-Hyped or Legit?

Is the Orange Book still relevant for assessing security controls?

COSO and COBIT: The value of compliance frameworks for SOX

ISO 17799: A methodical approach to partner and service provider security management

Mapping the path toward information security program maturity

RSA Conference 2006

Step 1: Understanding compliance -- Financial and technical standards

COBIT Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

COBIT (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

The bad news about SOX and most other regulations is that they lack specificity about what meets the spirit of the regulation. Basically, SOX mandates the implementation of strong financial controls to ensure that malfeasance doesn't happen. It doesn't specify what that means from a security standpoint (besides nebulous concepts like separation of duties).

Many organizations have adopted the COBIT framework to guide their security program for SOX, since many auditors have informally deemed that framework broad enough to ensure strong financial controls.

Regarding email retention, SOX section 802 requires that organizations retain auditing information for a minimum of seven years. This includes electronic records, which presumably encompasses email, thus enterprises are best off retaining email for at least seven years. This will also help with emerging e-discovery regulations, which also mandate that electronic information be available for several years.

More information:

Have a well-planned data retention policy and ease e-discovery preparation.
Learn to aid compliance efforts with penetration testing.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy