by: CipherTrust
“The two overarching themes fo.compliance management in 2005 will be the adoption of best practices and the accelerated focus on and use of IT.” Gartner Research
Federal legislation targeting the dissemination of private information has forced businesses in every industry to rethink how
the.communicate. The three primary regulations, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX) affect virtually every aspect of an organization’s information sharing practices, an.complying with these laws requires a new approach t.communication as a whole. As e-mail has become the most importan.communication tool for any organization, special care must be taken to ensure that all messages sent or received are within the realm of legally appropriate interaction.
Each of the three primary regulations affects a different area of an enterprise’.communications. The HIPAA and GLBA regulations are similar in scope, but differ in their targeted industries; SOX differs in that it pertains not only to personal information, but also to the integrity of financial reporting data. While the acts differ from one another in their language, they all share on.common attribute: stiff penalties for those who violate them.
For email, most vendors have focused on content filtering and encryption technology as a contributor t.compliance. While both of these technologies are necessary for ensurin.compliance, relying solely on these tools does not provide adequate protection. An effective approach to regulator.compliance must consist of multiple technologies working together to:
Accurately detect regulated material
Dynamically act to preven.compliance violations in real time
Protect not only messages but also users and systems
Verify and demonstrat.compliance through reporting and integrity checks
Detection
The text contained within an e-mail message must be thoroughly scanned in order to identify terms that could constitute a violation of the law. Dynamic dictionaries of regulation-specific terms must be maintained an.common formats such as Social Security and credit card numbers must be identified before the message leaves the e-mail gateway. File attachments present an additional risk, as they can contain libraries of information that must also be handled in accordance with federal guidelines. To neutralize the threat of file attachments, file attachments must be verified based on their encoding, not just their extension. Archives such as .zip files must also be thoroughly scanned in order to evaluate everything contained in the archive.
Violation Prevention
While identifyin.compliance violations is the first step in the process of regulator.compliance, detection alone is insufficient. Knowledge of a violation is important, but stopping the violation before it ever leaves the gateway is imperative. .compliance solution that is deployed at the email gateway ensures that no messages will leave or enter the organization without first passing through the appliance. This ensures that the organization is not left exposed to employee error or malicious intent, whether from outside the gateway or within it.
Organization-Wide Protection
A tota.compliance solution must provide defense for multiple levels of an organization’.communication network, from individual messages to the users who send and receive them, to the very systems that transfer and store critical information.
Messages
Automated and policy-driven encryption protects customer data and ensures the integrity of financial data when in transit. .complete encryption solution must be able to dynamically select the most appropriate encryption solution based on the recipient’s capabilities, including secure delivery to end users with unknown encryption capabilities, as is often the case when using email t.communicate with clients in healthcare and financial services.
Users
End users who send non-compliant information via e-mail through unprotected gateways face the very real threat of job termination, lawsuits and even prosecution, should their messages end up in the wrong hands. Regardless of whether the user’s intention is malicious or a simple mistake, an effectiv.compliance solution will ensure that no damage is done.
Systems
Complet.compliance requires an e-mail specific firewall and intrusion prevention system. Gateway appliances designed to contribute to regulator.compliance must be able to detect and block hacker attacks directed at the appliance itself, as well as at the mail servers and other systems sitting “behind” it. Without this level of protection, vouching for the integrity of information sent via e-mail is impossible.
Monitoring and Reporting
Compliance is not just about detecting and controlling certain types of content. It also requires reporting an.communication o.compliance status.compliance officers and administrators must be able to easily access data in order to:
Analyze and improve the organization’.compliance efforts
Automatically deliver decision-making information t.compliance officers in a timely manner
Easily generate executive-level reports instantly
Take the Next Step towar.complet.compliance
The last thing your enterprise needs is regulatory trouble, and the surest way to find it is by violating federal legislation. To that end, IronMail’.compliance Control features best-of-breed policy enforcement capabilities, givin.compliance officers and executives the peace of mind tha.comes with staying on the right side of the law. To learn more about how IronMail can help your organizatio.comply with the stringent rules surrounding information privacy, download CipherTrust’s free whitepaper, “Compliance Control: Contributing to Corporate Regulator.compliance.”
About the Author
CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “Compliance Control: Contributing to Corporate Regulator.compliance.” or by visiting
ciphertrust.com.
