HIPAA is the United States Health Insurance Portability and Accountability Act of 1996.

There are two sections to the Act. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems. In the information technology industries, this section is what most people mean when they refer to HIPAA. HIPAA email compliance establishes mandatory regulations that require extensive changes to the way that health providers conduct business. HIPAA seeks to establish standardized mechanisms for electronic data interchange ( EDI ), security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.

What SOX is and why the pressure to comply is on the CEO and CFO
SOX or the Sarbanes Oxley email compliance Act is the US governments legislative solution to prevent recurrence of devastating accounting scandals like the ones that rocked Enron and Worldcom. SOX requires publicly owned firms to establish reliable internal controls that can guarantee a companys capability to produce accurate financial reports and consequently protect its investors. To compel top executives into making sure their companies strictly adhere to SOXs requirements, the government has given them full responsibility. Simply put, if anything goes wrong, you, the top executive, takes the blame. If you are found to have falsely certified to the truthfulness and accuracy of a report, which is later on discovered to be misleading and inaccurate, then you could either be fined up to $5 Million, imprisoned up to 20 years, or even be made to endure both. Section 302, entitled CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS, states among others that principal executive officers and principal financial officers are required to certify in each annual or quarterly report that:

they have reviewed the report; based on their knowledge, the report does not contain a false statement of a material fact that would make the report misleading; the report does not fail to include a material fact; they are responsible for establishing and maintaining internal controls; they have designed the internal controls to ensure that all material information is known to them; they have evaluated the effectiveness of those internal controls.

Similarly, Section 404, entitled MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS, tasked the US Securities and Exchange Commission to require that each annual report contain an internal control report

stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and assessing the effectiveness of the said internal controls.

Congress further mandates that these assessments should then be attested by public accounting firms in accordance with standards adopted by the Public Company Accounting Oversight Board (PCAOB). Section 404 therefore dictates that, as the CEO or CFO, you should exercise all means to ensure that internal controls over financial reporting which are acceptable to the SEC and PCAOB are in place. This would help you prove, in the event a problem arises, that you have done everything in your power to establish controls that should have prevented such a problem from taking place.

Where to find guidance for compliance

Neither the SEC nor the PCAOB explicitly mention what specific actions you need to take. Instead, they advise companies to adopt suitable and recognized control frameworks. Their most accepted framework is supposed to be COSO, a document created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). However, because COSO was formulated before information technology went mainstream, much of its internal control standards do not directly address the intricacies of modern IT systems. Since a large number of companies now have IT systems tightly integrated into their business processes and shared services, these companies have turned to frameworks that are more attuned to the times. The most widely recognized is COBIT. COBIT (Control Objectives for Information and related Technology) is well aligned and harmonized with COSO as well as with other IT standards and good practices like ITIL, ISO 27000, CMMI, TOGAF and PMBOK. Thus, COBIT is where you can find answers if you want to know what actions you need to take to establish IT-related internal controls that are acceptable to the SEC and PCAOB.

So how does SOX affect email systems?

The speed, accessibility, and convenience of email has made it an invaluable tool for exchanging information. In the business world, it is not only the most widely used medium for communication. It is also a favorite tool for exchanging data. In most cases, this data could very well take the form of financial information. People either attach Excel spreadsheets containing these information unto emails or insert data into the email message itself. Try to picture your organization as it approaches a financial close. Before all your relevant data gets consolidated and put together into a financial report, your people embark on an email-

sending frenzy involving exchange and submission of financial information that will eventually find their way into the final report. Depending on the size and scope of your organization, these activities can span entire buildings, cities, states, and for some, even continents. Clearly, email systems play a huge, huge role in financial reporting and hence, Sarbanes-Oxley Act compliance. If something goes wrong during the exchange of email due to lack of effective controls; if rogue individuals are given the opportunity to peer into confidential information and alter them, then the accuracy and reliability of the financial reports will certainly no longer hold. But is this possible? Can anyone really access the contents of email not intended for them? Absolutely. Many of the email systems out there are actually very vulnerable to unauthorized access. Thats because, when you send out an email, a copy of it is stored in plain text in your computers hard disk. Similar copies are likewise stored in your mail server and in your recipients mail server. Finally, another copy is stored in your recipients hard disk. What if you send to, say, 5 other recipients? Then the exposed copies are practically multiplied as much. Thats not going to sound very comforting when youre struggling to achieve SOX compliance. So what can be done?

How to achieve email compliance with SOX

For that question, we already gave you a hint earlier as to where you can find the right answers. You turn to COBIT. Remember that COBIT is the most widely accepted framework when it comes to IT controls. Basically, COBIT comes with what are known as control objectives, which deal with different facets of IT including email. You can download the latest version of COBIT by following the link at the bottom of this article. The high-level and detailed control objectives that address email-related issues are too many to individually tackle in this article, but let me point out some of them. Note: Succeeding text is based on COBIT version 4.0, so there might be some slight differences if youre viewing a more recent version. High level control objective DS2 (Manage Third-Party Services) This focuses on the need to assure that services provided by third parties meet business requirements. Among its detailed control objectives is DS2.3 (Supplier Risk Management), which ensures continuous effective service delivery through a secure and efficient manner and the presence of contracts that conform to universal business standards and regulatory requirements.

High level control objective DS4 (Ensure Continuous Service) Focuses on the need to provide continuous IT services capable enough to minimise the probability and impact of a major IT service interruption on key business functions and processes. In case youre wondering what DS2 and DS4 have got to do with email services, well just imagine this. Imagine what would happen if, at the height of a financial close, email services go down for a long time. How can you hope to exchange financial information with colleagues in other geographical locations or even deliver your financial reports in a timely manner? High level control objective DS5 (Ensure Systems Security) Addresses the need to maintain the integrity of information. Some of the widely accepted controls associated with this control objective include access controls, antiviruses and encryption. High level control objective DS11 (Manage Data) This deals with establishing effective procedures for data backup and recovery. There may be other control objectives you might want look into once youve downloaded the COBIT document, but these four can certainly get you far in your compliance initiatives. Now that you know where to find your control objectives, its time to talk about an actual solution.

An easy way to achieve email compliance with the Sarbanes-Oxley Act

While it is very important to implement an email compliance solution that conforms with the control objectives laid out by COBIT, it is equally important for the solution to be flexible enough so as not to considerably impede business processes. Thats why we recommend Sendinc. This easy-to-use email archiving solution conforms with COBIT control objectives while allowing users to carry out email activities in the same manner theyve been used to. Lets go back to the COBIT control objectives we mentioned earlier and see how Sendinc dutifully complies. DS2 Sendinc systems are operated in secure SAS 70 II data centers. That means, those data centers have undergone an in-depth audit of their control objectives and control activities. SAS 70 is a widely recognized auditing standard. DS4 Backed by Amazon.coms highly-durable S3 infrastructure, Sendinc is able to deliver 99.99% availability. Meaning, if an interruption takes place, you can get back into operation in no time. DS5 Before you can send a message through Sendinc, youll be asked to logged into the system using your email, which stands as your username, and a password.

All messages and attachments are transmitted through the data centers using 256-bit SSL encryption. This is exactly the same kind of encryption technology employed by popular ecommerce and banking sites. With this technology, it wont matter if rogue individuals are able to get a hold of your message. They still wont be able to see whats inside. To further protect the integrity of your messages, they will be scanned for viruses. DS11 Again, data is stored in Amazon.coms S3 infrastructure, so your data stays safe and secure.