SOX Records Management - Sarbanes-Oxley challenges the Information Technology function with requirements that impact day-to-day activities. In addition in an increasingly litigious business environment with heightened regulatory oversight bring new and potentially costly challenges to Information Technology. In spite of the risks, however, many enterprises have yet to adopt best practices, policies, and procedures to ensure the successful management of enterprise electronic business records.
Record Management - Retention & Destruction
New mandated federal laws make compliance a critical component in the management of all business records. Business records are any record, electronic or otherwise, that provides evidence of a company's business-related activities, events, and transactions.
This means the following:
- Electronically stored information - including email messages, attachments, and other data is discoverable and may be used as evidence for or against your organization in litigation.
- Business records email and other electronically stored information that is related to current, pending, or potential litigation must be retained, archived, and produced in a timely and legally compliant fashion during discovery, and the evidence-gathering phase of litigation.
- Businesses are allowed to routinely purge electronic archives of data that is not relevant to ongoing litigation or pending cases. However processes have to be in place to halt this destruction when litigation begins or is anticipated to begin.
- Writing over backup tape once litigation is underway may constitute virtual shredding and lead to allegations of spoliation, or the illegal destruction of electronic evidence.
- To be accepted as legal evidence, email and business records must be preserved and produced in a trustworthy, authentic, and tamper proof manner.
Monitor Network Access & Activity
Federal and state government regulations can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.
Sarbanes-Oxley Section 404 requires that::
- Enterprises have an enterprise wide security policy;
- Enterprises have enterprise wide classification of data for security, risk, and business impact;
- Enterprises have security related standards and procedures;
- Enterprises have formal security based documentation, auditing, and testing in place;
- Enterprise enforce separation of duties; and
- Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.