Many organizations have adopted the COBIT framework to guide their security program for SOX, since many auditors have informally deemed that framework broad enough to ensure strong financial controls.
Regarding email retention, SOX section 802 requires that organizations retain auditing information for a minimum of seven years. This includes electronic records, which presumably encompasses email, thus enterprises are best off retaining email for at least seven years. This will also help with emerging e-discovery regulations, which also mandate that electronic information be available for several years.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.