I had a client who is a publically traded bank complete their annual FFIEC audit today. Two of my systems were included in this audit, and the bank's lead IT consultant is a 20 year good friend who is also my own network and security guru who is my own emergency backup. He also services other financial firms that are audited annually.
Just to be clear, I did not participate directly in the audit, though the regulations are a constant topic of conversation. There is no doubt that banks are held to a higher standard than others.
The technical phase of the audit is carried out by "examiners". These people are merely consultants hired by the feds to conduct these audits. The primary part of the audit is carried out by "regulators" who are the accounts that go over the books. The examiners are often times less experienced and the IT staff and their own IT consultants. They come in and inspect systems according to checklists, and sometimes go further. They use tools such as ISS scanners to go over a network looking for vulnerabilities.
In this particular audit the customer was flagged for running E-mail servers on every one of their desktops. The E-mail servers were reported as being "Symantec Security Suite", and was the result of running the scanner from a laptop that had Symantec Security Suite installed on it (they bank clients did not run this). Even though this was pointed out to them, they still included it in their report and flagged it as a possible false positive because they said they were just following directions and using the tools they were given. They also claimed that the bank was potential insecure because they had IP space listed in ARIN (which is RFC/ARIN required). They then claimed that their E-mail server, which is fully firewalled from outside connections, was insecure because it exposed it's own IP address in Received headers for outgoing E-mail. These were both bogus and short-sighted issues.
This client always gets rave marks on their audits, but the examiners alway point out something just to prove that they were doing their job. They send a report to the board of directors for the client, and then it is the job of the IT staff to address all of those items to the board. They are not required to change anything, or at least there has never been an issue that was required to be changed, and nit-picky stuff like ARIN records for IP space are merely explained and not changed.
In another place that I am aware of, the examiners recommended changing to a commercial IT security package because they did not understand the security as it was implemented. This was an issue with the examiners and not the financial institution. While this does confirm that the examiners prefer commercial packages, it does not justify the use of commercial packages since this is not a requirement, and it is merely a consultant examiner that is not fully versed in network security. For instance, they may be uncomfortable with a hardened linux kernel running SNORT for IDS, but if you buy a commercial package with a fancy name that is merely a hardened linux kernel running SNORT, they may be happy since they know the product name.
Regarding SOX compliance, this never came up, and according to my friend that has done several dozen FFIEC audits, it never has. SOX is primarily covered by traditional audits and to the best of my knowledge, it is overseen by the PCAOB (which was created by Sarbaines-Oxley for compliance purposes). They deal with independent auditors, and it is apparently the responsibility of the independent auditors to verify SOX compliance, including E-mail archiving. I can't claim that FFIEC examiners or regulators won't look at SOX E-mail archiving, and the examiners do look at other systems for record retention regarding security, but it is clearly not universal, and FFIEC audits are the fiercest audits of them all.
For publically traded non-financial corporations, FFIEC audits don't apply. They are clearly covered by SOX, and it's E-mail retention rules, but they do not go to the same extent in examining systems. SOX compliance as far as E-mail retention is not defined as far as the technical implementation goes, and it appears that fines for this to date result from other activities besides audits. I have also found documentation showing that E-mail retention procedures (technical implementations) are not a one-size-fits-all situation and should be approached according to the size of the business. Some smaller companies merely retain backups of systems like Exchange in order to meet compliance, while larger ones must use more complicated solutions in order to create a situation where the communications are readily available for whatever legal need applies.
I still believe that a smaller public company can be fully compliant by merely archiving all incoming, outgoing and internal E-mail into capture accounts, and archiving those capture accounts in a way that they can reasonably pull any data required of them as a result of an official action.
Matt Sanford Whiteman wrote:
Unlike... um, anyone on this list, it seems... I know firsthand what SEC and NASD think of homegrown "compliance" solutions.That's why you pay someone else to do it and insist that they slap on a fancy name like "Perfect Super Uber E-mail Compliance Archive System".If it's hosted in-house, it's easy to tell that it's homegrown (because the fact that it's in-house alone is often illegal). Really, I get the feeling you don't really know what passes muster and what doesn't, but you're frustrated that a big (biggish, they're really quite small in personnel) company like GlobalRelay might be getting some props. I know you're healthily skeptical of big shops hosting ostensibly premium software, because of your hosting business and boutique approach. But that doesn't let you blindly extend your dismissive brush to other lines of business. Some other people know much more about compliance, and they sure ain't using VBScript to do it. 10 hours? You must be smokin' that good-good!...no one should invest in something that doesn't meet regulations.Yeah!I do have some experience with the feds, and I did work for a multi-billion dollar corporation where my immediate boss was in charge of E-mail for the entire company, and we were always being sued by someone.Well, if you haven't been a primary participant in a compliance audit/investigation *specifically* of e-mail archives, you aren't speaking from experience. I have been part of several such processes. That experience is where I've always been coming from on this issue: I wouldn't raise a peep if I hadn't been much more intimately involved than anyone else here.That was pre-SOX though, but we all knew it was coming and that it mostly just clarified retention policies by better defining what was classified as a covered communication.If everyone's best guesses were accurate, there wouldn't be million-dollar fines handed out for inadequate archiving.I also have a good friend deals with bank audits on a regular basis as well as SOX compliance. When audited, they will always point a list of things out, and they can find fault with anything that they choose to find fault with. The real trick is ensuring that you aren't grossly negligent.The "real trick" is not trying to do compliance on the cheap, but understanding why it exists. Know your history. If one can't handle the budgetary heat of being in a regulated business, but one is a somewhat honest person, get out of the kitchen. On the other hand, if one is dishonest -- if one doesn't think late trading and market timing are as immoral as non-violent business gets, and if you don't think it's worth fighting for fair business practices, even if that means you make some sacrifices because of others' evils -- do everyone a favor and just walk off a cliff.Also note that congress didn't even specify retention periods within SOX or methods of retention, this was all inferred after the fact by combining aspects of various laws and regulations, and they certainly didn't endorse a particular product for providing a solution.Yeah, that's why my involvement in ACTUAL audits -- the law as applied -- is what I draw on in my responses.With all of that said, I believe that what one does should be compatible with the dynamics of one's business. For a single location entity with less than 200 employees, clearly a less robust solution could manage the task, and it could be home grown.You seem to think that # of locations or # of employees is relevant. That's a joke! Look at the mutual fund scandals of a couple of a few years ago, which led to many e-mail audits. Do you understand how many single locations with < 50 heads were involved? Didn't think so. And have you pieced together why late trading was worth every penny spent on its investigation and prosecution, and subsequent tighter regulation? Here's one way of looking at it: Ever see the show "Early Edition"? Now, imagine if the everyday hero if that show had instead been the Eye of Sauron. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
