Managing email regulatory compliance and security in the financial services sector can be a daunting task. To be certain, email speeds up the business and makes servicing customers and partners easier, but there is a dark side.
Consider one high-profile case, which involved a star investment banker at Credit Suisse First Boston (CSFB) who sent an email to more than 400 subordinates telling them to clean up their email accounts -- federal prosecutors used that email as evidence of a cover up of improper trading at CSFB. The banker was convicted of obstruction of justice.
Have a well-crafted policy
Before you can bring control to email, you must first create a policy. It may seem very basic, but your security policy must define email precisely.
A good working definition would cover all electronically transmitted messages, regardless of format (HTML, XML, RTF, etc.), attachments (documents, spreadsheets, graphics, etc.) and supporting infrastructure -- the servers that transmit and store email. For financial services, this list will include such services as Bloomberg mail and instant messaging, Internet mail providers and your in-house MS Exchange, Lotus Notes or other email system.
Refer to your information security policy or data protection policy (if available) to have a crisp definition of your company's specific data classification framework. This is important if you decide that certain information must not be transmitted insecurely, or at all, via email.
Now that you have defined what email is, it's time to consider the myriad of regulations that apply to it. For most in the financial services industry, a good starting point is the US Securities and Exchange Commission; for self-regulated organizations, check with your governing body regarding regulations applicable to email.
The requirement to archive email for specified period, usually 10 years, should be at the top of your list. Archiving must be done in a manner that prevents users from deleting emails that could be important in an investigation. The best way to accomplish this is to have both incoming and outgoing email archived in real-time. This prevents users from mass deleting emails. It's best to consider a secure an off-site archive. Ideally, this archive is managed by administrators without a conflict of interest, such as an outsourced provider, lessening the chance of malicious insider email and data destruction.
Your choice of archive technology and/or outsourced provider should include protections against altering or deletion. A forensically compliant system is the best. Here there are cryptographic checksums, hashes, encryption, signatures, timestamps and other data protection mechanisms that can stand up in an investigation or against cross examination in a court of law. When something was emailed may be as important as what was emailed. That's why nothing less than a rock-solid forensically compliant system is best.
Supervision review capability
Supervisory review of email sent through the system is critical to meeting compliance objectives. You must have a program and policy in place that ensures regular review of the email content that is flowing though your company. The review has to be done in such a manner that it constitutes due care and monitoring to catch illicit or prohibited communications. The workflow for this may have to meet other requirements such as keyword matching, randomness, frequency or target specific roles within the organization, such as the trading desk. Your systems must support these policy or regulatory requirements.
Detailed reporting is a must
In order to prove the effectiveness of your regulatory compliance program, you need to produce detailed reports on email activity for your auditors.
For starters, your reporting should include the following:
- Measures of the effectiveness of the supervisory process.
- The number noncompliant messages and policy violations in defined time periods.
- Actual messages reviewed and analyzed by supervisors.
- Tracking of outcomes or actions on violations detected.
- Volume of email archived by groups or users.
- System capacity remaining for archive.
- Access violations or archive tampering attempts.
- Audit reports of access to the archive and messages.
Don't underestimate the importance of reporting. If you miss these critical capabilities, you may find yourself with a failed audit despite otherwise solid archiving practices.
About the author:
George Wrenn, CISSP, ISSEP, is frequent contributor to SearchSecurity.com and Information Security magazine, he served as a Director of Security in the financial services industry and is now a consulting security expert. He's also a Six Sigma Black Belt, a Harvard grad and was trained in cryptography at MIT. He can be reached at firstname.lastname@example.org.