Managing email regulatory compliance and security in the financial services sector can be a daunting task. Email can be both the best and worst thing for the business. On the one hand it speeds up the business and makes servicing customers and partners a breeze, but there is a dark side. One high-profile case which involved a star investment banker at Credit Suisse First Boston, who sent e-mail to over 400 subordinates telling them to clean up their e-mail accounts. Federal prosecutors used that e-mail as evidence in a cover-up of improper trading at CSFB. The banker was later convicted on the obstruction of justice charges.
This blog post will help you understand the issues present and offer best practices to help manage compliance all while getting the benefits of this crucial communications tool.
The First Step is a Well Crafted Policy
Before you can bring control to email you must first define a policy. It may seem very basic, but your e-mail security policy must define what e-mail is exactly.
A good working definition would cover all electronically transmitted messages, regardless of format (HTML, XML, RTF, etc), attachments (documents, spreadsheets, graphics, etc.) and supporting infrastructure (the servers that transmit and store e-mail). For financial services this list will include such services as Bloomberg mail and instant messaging, Internet mail providers and of course your in house MS Exchange, Lotus Notes, or other email system.
You will need to refer to your information security policy or data protection policy (if available) to have a crisp definition of your company’s specific data classification framework. This is important if you decide that certain information must not be transmitted insecurely or at all via email. We will discuss this more in detail in the data leakage section below.
Now that you have defined what email is its time to consider the myriad of regulations that apply to it. For most in the financial services industry a good starting point is the SEC, for self regulated organizations, check with your governing body regarding regulations applicable to email.
Archiving Email
We will focus on the main regulatory issues in this TIP. For starters the requirement to archive email for specified period, usually 10 years should be at the top of your list. Archiving must be done in a manner that prevents users from deleting what could be important emails later in an investigation. The best way to accomplish this goal is to have both incoming and outgoing email written in real-time to an archive. This prevents users from mass deleting emails. It’s best to consider a secure offsite archive. Ideally this archive is managed by administrators without a conflict of interest, such as an outsourced provider, thereby lessening the chance of malicious insider email and data destruction.
Your choice of archive technology and/or outsourced provider should include protections against altering or deletion. A forensically compliant system is the best. Here there are cryptographic checksums, hashes, encryption, signatures, timestamps and other data protection mechanisms that can stand up in an investigation or against cross examination in a court of law. When something was emailed may be as important as what was actually emailed. Think back to the Martha Stewart case, the timing of communications can be critical. That’s why nothing less than a rock solid forensically compliant system is best.
Supervision Review Capability
Now that you are capturing the emails, securely archiving the messages and attachments you can focus on the next general set of must do items from a regulatory perspective. Supervisory review of email sent through the system is critical to meeting compliance objectives. You must have a program and policy in place that ensures regular review of the email content that is flowing though your company. The review has to be done in such a manner that it constitutes due care and monitoring to catch illicit or prohibited communications. The workflow for this may have to meet other requirements such as keyword matching, randomness, frequency or target specific roles within the organization such as the trading desk. Your solution of choice must support these policy or regulatory requirements.
Detailed Reporting is a Must
In order to prove the effectiveness of your regulatory compliance program, you need to produce detailed reports on email activity. When the auditors come they will expect to see reports. For starters your reporting should include the following.
• Measures of the effectiveness of the supervisory process.
• The number non-compliant messages and policy violations in defined time periods.
• Actual messages reviewed and analyzed by supervisors.
• Tracking of outcomes or actions on violations detected.
• Volume of email archived by groups or users.
• System capacity remaining for archive.
• Access violations or archive tampering attempts.
• Audit reports of access to the archive and messages.
Don’t underestimate the importance of reporting. If you miss these critical capabilities you may find yourself with a failed audit despite your otherwise solid archiving practices.
Searching and Discovery Support
At this stage you have a good understanding of what it takes to document, capture, review and report on your email compliance program. This is all good, until you get hit with your first discovery request, which can turn your world upside down. A simple email discovery request can cost hundreds of thousands of dollars in labor, lost productivity, hardware and software when all is said and done.
It is therefore very important that your implementation support robust and secure search capabilities. A discovery request will often include specific users, keywords, phrases or time periods (sometimes all of these at once). So just why is a precise and robust search capability required? Well sometimes searches can produce unwanted artifacts that are not material to the investigation at topic but are “none the less” serious. For example inappropriate activity recorded in email is often discovered and the release of this information to outsiders could have consequences.
Your email archiving solution should offer laser precise search capability and be able to target searches to a limited set of email messages. To quote on old far eastern saying, “you may go looking for worms and find a snake”.
Data Leakage
All the archiving in the world is not going to stop sensitive data from leaking out of the enterprise. There are two basic concerns here, the first is the data in the archive. It should be encrypted with a know, trusted and recognized encryption algorithm such as AES. The external provider should not be able to access your data in the archive. Also in the event of a system breach, the email won’t be disclosed if its protected by strong encryption.
The second concern is of course sensitive data leaking in emails being sent outside the firewall. To deal with this risk you need to define the types of data that fit this classification.
E-mail gives rogue or hapless users an easy way to expose financial statements and other sensitive material. Your email policy should indicate which material shouldn't be sent electronically. This won't stop corporate espionage, but it will help keep honest users from inadvertently leaking financial data to their entire global address list.
As we mentioned earlier in the policy section, your data protection policy or data classification framework plays an important role in policy enforcement. Many of the email data leakage solutions available require a concept of classification.
The first layer of defense in secure email proxy solutions is often keyword or expression matching to prevent data leakage. For example sensitive data such as social security numbers may take the form 000-00-0000 through 999-99-9999, a proxy would detect this pattern and block the message, perhaps triggering an event or alarm for the security administrator to review. Similarly keyword systems may catch words like sell short, hot stock and the like and block these types of messages. These approaches can be hit or miss and won’t catch everything.
A second layer of defense is often required. Tagging data, documents or messages with classification levels can prevent sensitive, restricted information from leaving the company mail system. Many appliance based solutions offer a combination of technologies to prevent deliberate or accidental data leakage from emails send beyond the firewall.
If you must send sensitive data outside the firewall, a policy
requiring users to protect intellectual property and proprietary
information is meaningless without giving them the proper security
mechanism. For e-mail, security usually means encryption.
An e-mail security policy should include the types of accepted
encryption, when it should be used and how it will be implemented. For
instance, installing PGP on executive client machines should protect
routine documents, while network-based encryption tools are likely more
appropriate for users who exchange sensitive information.
Protecting electronic information exchanges is essential for financial services firms.
Use Disclaimers as Damage Control
Enterprises should consider adding a disclaimer statement to the end
of each e-mail, informing recipients of the sending organization's
policy, the nature of the e-mail (such as "For Official Use Only") and
what material it disavows. For instance, a securities trading firm may
include in its disclaimer that it accepts no responsibility for falsely
or improperly sent messages, and that any violation should be reported
to a security manager.
A disclaimer puts the onus on recipients to act responsibly when
receiving improperly disclosed information. One such disclaimer reads:
"This message is intended only for the use of the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
use, dissemination, disclosure or copying of this communication is
strictly prohibited. If you have received this communication in error,
please destroy all copies of this message and its attachments and
notify us immediately." Disclaimers offer no guarantee of compliance,
but they do establish a legal standing for making claims against those
who perpetuate a security violation.
Governance is Key
E-mail security policies should outline the roles and
responsibilities of those managing the e-mail system. They set
expectations as to how security managers, e-mail admins and other
department managers respond to e-mail issues and security.
An e-mail security policy is worthless unless users are presented and
periodically reminded of it. Best practice is to give new employees a
copy of the policy when they are hired. Enterprises should treat e-mail
security policies as dynamic documents that evolve to meet changing
legal and operating conditions, technologies and threats. Annual
reviews and revisions will ensure the policy keeps up with changing
needs.
The Final Word
The financial services sector has perhaps on of the most difficult email security challenges of any industry. This article has armed you with proven best practices that can help mitigate your regulatory e-mail risks through sound policy, secure archiving, supervisory review practices, audit reporting and data leakage prevention.
Originally published on TechTarget SearchSecurity.com
Comments