Manage Learn to apply best practices and optimize your operations.

Strategies for email archiving and meeting compliance regulations

According to a recent study, 29% of surveyed IT professionals archive their email for compliance reasons. Michael Cobb reviews compliance regulations that demand email archiving and how such products can ease some of the pain that comes with the process.

A study released in late 2008 by Barracuda Networks Inc. looked at email messaging archive technology adoption...

among North American organizations. An overwhelming majority, nearly 82%, of the surveyed 200 IT professionals viewed email archiving, commonly defined as an approach to saving and protecting email data for future use, as "important" or "very important" for their organizations. Interestingly, more than two-thirds of respondents cited reasons other than compliance as their main consideration for implementing an email archiving product.

I find it encouraging that regulatory requirements are not the only forces driving good IT practices. For 29% of organizations, however, compliance with industry regulations was the critical factor behind archiving email. So which regulations make archiving an increasingly important element of network administration and compliance? In this tip, we'll touch on some regulations driving email archiving, why archiving is important, and how to avoid common mistakes made when dealing with archived data.

Compliance regulations driving email archiving
To start, there are two regulations that affect the majority of organizations. To address electronically stored information, amendments to the aging Federal Rules of Civil Procedure (FRCP) require organizations to manage their data so that it can be produced in a timely and complete fashion when required in the course of legal proceedings.

More on email archiving

A reader recently asked our security management expert, "Does SOX provision email archiving?"

In our Messaging Security School, learn about email security tools, systems and threats.

Publicly traded companies must also comply with the Sarbanes-Oxley Act of 2002, which stipulates that electronic data must be kept for 3-7 years. Given that the number of email messages for large organizations can run into millions each year, standard backup approaches, such as tapes used for disaster recovery, are not going to provide effective retrieval capabilities. On the other hand, a dedicated email archive can take advantage of indexing, tagging, custom searches and efficient storage to make message retrieval less painful.

Additionally, though it only affects healthcare and insurance providers, the Health Insurance Portability and Accountability Act (HIPAA) requires personally identifiable information to be encrypted both at rest and in transit. A product dedicated to archiving email can handle this requirement as well.

There are also various rules, imposed by bodies such as the Securities and Exchange Commission, the National Association of Securities Dealers, and the New York Stock Exchange, that cover the handling and storage of electronic messages. Although these are mainly touch firms in the financial services industries, they add to the weight of regulation, which requires electronic messages to be stored and secured against alteration, deletion and inappropriate access, yet easily retrievable when required.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
The case for email archiving
Microsoft recommends large enterprise users of Exchange move old emails

The key aspects to choosing the right product are to ensure it will integrate with existing infrastructure, and that it has the functionality to help meet the organization's unique regulatory obligations. For instance, an effective email archiving system should provide a warning when unauthorized attempts are made to access the archive, or when emails violate acceptable content policies.

Also note that it is essential that the organization store emails in a format that does not change the information. Encryption is allowed and obviously recommended, but any form of compression, such as stubbing, which is the process where only one copy of an email attachment is kept and all other copies act as pointers to the individual one, must not remove or lose information about points of origin, destinations, dates and times.

There are many email archiving products available, many of which are designed to enable compliance with specific regulations. Taking time to review the available product options will help ensure your organization finds the correct balance between performance and productivity -- making sure the system runs smoothly without interrupting business activities -- and meeting security and compliance requirements.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several Security Schools and, as a site expert, answers user questions on application security and platform security.

This change to the FRCP, which basically applies to every business in the United States, means that some form of archiving product is invaluable for timely email discovery. In the Barracuda survey, nearly half of the respondents said they had been involved in a litigation request that required email as part of the discovery process. A third of them even took up to a month, without the aid of an email archiving product, to produce email as part of an e-discovery request. For organizations of any size, there is a compelling argument for implementing some form of specialized email archiving. Not only will it make compliance easier and less time consuming, but it also leads to a more efficient network and user base. Without some form of email archiving, an email inbox can get quite large, with tens of thousands of emails. If, in order to abide by compliance regulations, users aren't allowed to delete any of them because they are not being archived, mailboxes with that many messages can quickly become unmanageable, both for users and administrators. Even out of email boxes to a third-party email archiving product to improve user productivity.
This was last published in February 2009

Dig Deeper on IT security audits and audit frameworks