Re: [Declude.JunkMail] OT: Message Storage
Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
chiving scheme using some form of copy-all functionality. One should look for guidance from all applicable sources, but one should also understand that others may be in an extreme risk-adverse mindset, may be in a position to profit from certain solutions, or may not understand what is really required. As consultants, service providers, and direct staff, we all must keep in mind that we don't want to become part of the problem. Matt IS - Systems Eng. (Karl Drugge) wrote: True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: "Message" Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's "Government-in-the-Sunshine" laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: "Message" Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
Gotta love that picture Keeping it for my personal laptop back ground. I'll agree with you 99%.. I hate lawyers with a passion, and excepting the miniature French poodle and HR personnel, they are loathed beyond all else. But, in doing a risk assessment, factors like the possible cost of a possible law suit is something that should be considered. A hospital is a good example. Regardless of what the I.T. team is doing ( for good or ill ), it's a good idea to get the advice of a legal professional. Just one suit will offset the cost of hundreds of consultations. It's not always possible, especially in the smaller firms, to CYA in this fashion, but a sign off from above works just as well. As IT management, I stress that we offer the company technical solutions. What we CAN do is very different in most cases, from what we SHOULD do. The SHOULD do part comes from written company policy. Written company policy needs impartial review, from as many perspectives as possible. Medical/Legal/Financial records all have different retention requirements. This includes emails which pertain to these records ( or even have them imbedded ). So, how do you handle your archives then ? Keeping ALL the emails will get you fried if you have expunged records in your archives ( if you're an attorney ). Who sorts these emails for relevant information to determine if they even should be stored ? SOX doesn't require I keep emailed pictures of my 5 year old nieces B'day party.. So do you check each one individually ?! Yargh ! Leave it up to the end users ? Oh boy... So, why do ( or don't ) you have these records ? Company policy will be the only thing that keeps you as the email admin from getting thrown under the bus. Easy, company policy dictates it. You're off the hook. Remember, when the witch hunt ends, you don't want to be the one wearing the pointy hat. Apologies for the hijacked thread... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 2:36 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, The problem is assuming that keeping it 'legal' involves lawyers for instance. The Sarbanes-Oxley Act of 2002 was enacted by Congress and the responsibility for clarifying the law into workable practices was assigned to PCAOB (The Public Company Accounting Oversight Board, created by Sarbanes-Oxley), and signed off on by the SEC. It is the responsibility of independent auditors to verify compliance and report it's findings to the board of directors, who are ultimately responsible for the companies in question. . . Lots of good stuff . . . Matt IS - Systems Eng. (Karl Drugge) wrote: True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http
Re: [Declude.JunkMail] OT: Message Storage
Karl, If you want to buy the poster, you might try this link: http://www.thinkgeek.com/homeoffice/posters/58fc/ BTW, I wasn't suggesting that you hijacked the thread, rather I and others did from William Stillwell when he asked about E-mail archiving that doesn't cost an arm and a leg. Your point about keeping baby pictures is a valid one. Technically you are not required to keep such things under SOX...only business communications and more specifically, ones that pertain to the finances and operation of the business, are covered. There are even solutions that do filtering to determine if a message should or shouldn't be archived, though being somewhat risk adverse, and knowing that such filtering isn't perfect, I would not recommend such a solution. At the same time though, keeping unnecessary messages can be a detriment to a company as these things can come out and burn you years in the future. How many times have we heard side comments from Microsoft execs that their competition or detractors used against them. Here's one such example where a MS executive told others that he would be using a Mac if he didn't work for Microsoft. Here's the blog that tries to explain what he meant... http://windowsvistablog.com/blogs/windowsvista/archive/2006/12/12/title.aspx People are caught having affairs with others in the office, partying, and other things that represent private comments. The fact is that none of that stuff is required to be kept and it shouldn't be archived if one can help it. The SEC doesn't care about such things and they are the ones requiring retention, but having a massive stash of E-mail covering anything and everything actually increases the possibility of needing to spend money fulfilling a court order to produce such things. You can likely blanket exclude certain classes of employees since they never deal with anything the SEC is concerned with, and that is wise. Retaining all such E-mails is another example of risk-aversion as well as complication, but the retention itself should be approached with some degree of risk-aversion as well. Matt IS - Systems Eng. (Karl Drugge) wrote: Gotta love that picture Keeping it for my personal laptop back ground. I'll agree with you 99%.. I hate lawyers with a passion, and excepting the miniature French poodle and HR personnel, they are loathed beyond all else. But, in doing a risk assessment, factors like the possible cost of a possible law suit is something that should be considered. A hospital is a good example. Regardless of what the I.T. team is doing ( for good or ill ), it's a good idea to get the advice of a legal professional. Just one suit will offset the cost of hundreds of consultations. It's not always possible, especially in the smaller firms, to CYA in this fashion, but a sign off from above works just as well. As IT management, I stress that we offer the company technical solutions. What we CAN do is very different in most cases, from what we SHOULD do. The SHOULD do part comes from written company policy. Written company policy needs impartial review, from as many perspectives as possible. Medical/Legal/Financial records all have different retention requirements. This includes emails which pertain to these records ( or even have them imbedded ). So, how do you handle your archives then ? Keeping ALL the emails will get you fried if you have expunged records in your archives ( if you're an attorney ). Who sorts these emails for relevant information to determine if they even should be stored ? SOX doesn't require I keep emailed pictures of my 5 year old nieces B'day party.. So do you check each one individually ?! Yargh ! Leave it up to the end users ? Oh boy... So, why do ( or don't ) you have these records ? Company policy will be the only thing that keeps you as the email admin from getting thrown under the bus. Easy, company policy dictates it. You're off the hook. Remember, when the witch hunt ends, you don't want to be the one wearing the pointy hat. Apologies for the hijacked thread... Karl Drugge -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt *Sent:* Monday, December 18, 2006 2:36 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] OT: Message Storage Karl, The problem is assuming that keeping it 'legal' involves lawyers for instance. The Sarbanes-Oxley Act of 2002 was enacted by Congress and the responsibility for clarifying the law into workable practices was assigned to PCAOB (The Public Company Accounting Oversight Board, created by Sarbanes-Oxley), and signed off on by the SEC. It is the responsibility of independent auditors to verify compliance and report it's findings to the board of directors, who are ultimately responsible for the companies in question. . . Lots of good stuff
Re: [Declude.JunkMail] OT: Message Storage
Ok, I'll add another few cents due to popular demand. I do wish however for this to not become a thread with personal attacks or charges, which I why I tend to step away from such discussions. I had a client who is a publically traded bank complete their annual FFIEC audit today. Two of my systems were included in this audit, and the bank's lead IT consultant is a 20 year good friend who is also my own network and security guru who is my own emergency backup. He also services other financial firms that are audited annually. Just to be clear, I did not participate directly in the audit, though the regulations are a constant topic of conversation. There is no doubt that banks are held to a higher standard than others. The technical phase of the audit is carried out by examiners. These people are merely consultants hired by the feds to conduct these audits. The primary part of the audit is carried out by regulators who are the accounts that go over the books. The examiners are often times less experienced and the IT staff and their own IT consultants. They come in and inspect systems according to checklists, and sometimes go further. They use tools such as ISS scanners to go over a network looking for vulnerabilities. In this particular audit the customer was flagged for running E-mail servers on every one of their desktops. The E-mail servers were reported as being Symantec Security Suite, and was the result of running the scanner from a laptop that had Symantec Security Suite installed on it (they bank clients did not run this). Even though this was pointed out to them, they still included it in their report and flagged it as a possible false positive because they said they were just following directions and using the tools they were given. They also claimed that the bank was potential insecure because they had IP space listed in ARIN (which is RFC/ARIN required). They then claimed that their E-mail server, which is fully firewalled from outside connections, was insecure because it exposed it's own IP address in Received headers for outgoing E-mail. These were both bogus and short-sighted issues. This client always gets rave marks on their audits, but the examiners alway point out something just to prove that they were doing their job. They send a report to the board of directors for the client, and then it is the job of the IT staff to address all of those items to the board. They are not required to change anything, or at least there has never been an issue that was required to be changed, and nit-picky stuff like ARIN records for IP space are merely explained and not changed. In another place that I am aware of, the examiners recommended changing to a commercial IT security package because they did not understand the security as it was implemented. This was an issue with the examiners and not the financial institution. While this does confirm that the examiners prefer commercial packages, it does not justify the use of commercial packages since this is not a requirement, and it is merely a consultant examiner that is not fully versed in network security. For instance, they may be uncomfortable with a hardened linux kernel running SNORT for IDS, but if you buy a commercial package with a fancy name that is merely a hardened linux kernel running SNORT, they may be happy since they know the product name. Regarding SOX compliance, this never came up, and according to my friend that has done several dozen FFIEC audits, it never has. SOX is primarily covered by traditional audits and to the best of my knowledge, it is overseen by the PCAOB (which was created by Sarbaines-Oxley for compliance purposes). They deal with independent auditors, and it is apparently the responsibility of the independent auditors to verify SOX compliance, including E-mail archiving. I can't claim that FFIEC examiners or regulators won't look at SOX E-mail archiving, and the examiners do look at other systems for record retention regarding security, but it is clearly not universal, and FFIEC audits are the fiercest audits of them all. For publically traded non-financial corporations, FFIEC audits don't apply. They are clearly covered by SOX, and it's E-mail retention rules, but they do not go to the same extent in examining systems. SOX compliance as far as E-mail retention is not defined as far as the technical implementation goes, and it appears that fines for this to date result from other activities besides audits. I have also found documentation showing that E-mail retention procedures (technical implementations) are not a one-size-fits-all situation and should be approached according to the size of the business. Some smaller companies merely retain backups of systems like Exchange in order to meet compliance, while larger ones must use more complicated solutions in order to create a situation where the communications are
RE: [Declude.JunkMail] OT: Message Storage
I know you said that catch all does not work but something I do for certain clients is make two email accounts. [EMAIL PROTECTED] [EMAIL PROTECTED] Then I make a rule in Imail that sends a copy of all incoming to the incoming address and then a copy of the outgoing mail to the outgoing email address. The file sizes can get huge if it's a busy domain but I also run a vbscript every couple of days that moves the main.mbx to our backup server and renames the file 12142006main.mbx. Its not the most elegant solution but its free. I would be interested in a paid solution though if there is one out there. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, December 14, 2006 7:26 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT: Message Storage Does anybody know of a product (that doesn't cost a arm, and three legs) that will archive all email for a specific domain for x number of years? Imail CopyAll Will not work.. No way to orginize all the email, and I don't want to archive the spam... --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
The Imail CopyAll account will work, along with Imail Rules on that account. John T eServices For You Life is a succession of lessons which must be lived to be understood. Ralph Waldo Emerson (1802-1882) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, December 14, 2006 10:26 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT: Message Storage Does anybody know of a product (that doesn't cost a arm, and three legs) that will archive all email for a specific domain for x number of years? Imail CopyAll Will not work.. No way to orginize all the email, and I don't want to archive the spam... --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
I will keep ya posted, We are looking into some third party products and other solutions. Your solution would work, however, But when given a request to have all of the email of a certain person for x months is not easy to do when you have to sift thru gigs of email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, December 14, 2006 2:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Message Storage Importance: High I know you said that catch all does not work but something I do for certain clients is make two email accounts. [EMAIL PROTECTED] [EMAIL PROTECTED] Then I make a rule in Imail that sends a copy of all incoming to the incoming address and then a copy of the outgoing mail to the outgoing email address. The file sizes can get huge if it's a busy domain but I also run a vbscript every couple of days that moves the main.mbx to our backup server and renames the file 12142006main.mbx. Its not the most elegant solution but its free. I would be interested in a paid solution though if there is one out there. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, December 14, 2006 7:26 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT: Message Storage Does anybody know of a product (that doesn't cost a arm, and three legs) that will archive all email for a specific domain for x number of years? Imail CopyAll Will not work.. No way to orginize all the email, and I don't want to archive the spam... --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Brand it with a fancy name and they should be happy. IMail stores messages in an open format, and as long as you catch all of it, and archive it as required, that should be all that counts. Naturally I'm simplifying, but in reality, all of these other products are programmed by people too. Matt Sanford Whiteman wrote: ... and it should be acceptable to the feds. Which feds? The regulatory agencies I know would scoff at such a solution. But the OP didn't mention this being done for external regulatory reasons, anyway. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Message Storage
Sanford Whiteman wrote: Unlike... um, anyone on this list, it seems... I know firsthand what SEC and NASD think of homegrown compliance solutions. That's why you pay someone else to do it and insist that they slap on a fancy name like Perfect Super Uber E-mail Compliance Archive System. But seriously, the baseline test is whether or not it works, and no one should invest in something that doesn't meet regulations. I do have some experience with the feds, and I did work for a multi-billion dollar corporation where my immediate boss was in charge of E-mail for the entire company, and we were always being sued by someone. That was pre-SOX though, but we all knew it was coming and that it mostly just clarified retention policies by better defining what was classified as a covered communication. I also have a good friend deals with bank audits on a regular basis as well as SOX compliance. When audited, they will always point a list of things out, and they can find fault with anything that they choose to find fault with. The real trick is ensuring that you aren't grossly negligent. Also note that congress didn't even specify retention periods within SOX or methods of retention, this was all inferred after the fact by combining aspects of various laws and regulations, and they certainly didn't endorse a particular product for providing a solution. With all of that said, I believe that what one does should be compatible with the dynamics of one's business. For a single location entity with less than 200 employees, clearly a less robust solution could manage the task, and it could be home grown. Those that have many more employees and multiple locations would likely find a commercial solution more beneficial overall. There are even situations with multi-national companies where it is pretty much impossible to be in compliance with every regulation that applies to them. For instance, some countries require removing certain records for privacy, while others require retaining all such records for oversight and legal reasons. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.