Data Protection Solutions Best Practice

1
Data Protection SolutionsBest Practice

• www.pivotstor.com

2
Why Do We Need It?

• Am I Safe From
• Government Regulations
• Tax laws
• Corporate Governance
• Shareholders
• Legal Issues?
• Lawsuit
• HR
• Industry Business
• All Companies Have to Comply to Regulations

3
Why Do We Need It?

• Sarbanes-Oxley Act of 2002
• RICA
• KING II
• Financial Services Markets Act 1970
• Basel II Capital Accord
• Enterprise Act of 2000
• ISO 27001
• Financial Modernisation Act 1999
• Public Law Act 104-191 Part 164
• Data Protection Act 1998
• Freedom of Information Act 2000
• Human Rights Act 1998
• FRCP U.S Act of 2005
• Etc...............................................
  ..

4
What Do Companies Believe?

• I have a backup, I dont need an archive
• Backup is for DR
• Cost of restoring for legal use is huge
• Non-production systems built paid for
• Manual searching by people
• Backup is not geared to find restore individual
  mail
• IT intensive
• Backup not provable as Tamper Proof
• Backup is an off-Line medium
• Not directly visible to users
• Archive is an on-line or near-line medium
• Directly visible accessible by users
• Advanced search of subject/body text/attachments

5
What Do Companies Believe?

• I run anti-virus anti-spam on my server
• A good start!
• Runs at server/email server/desktop level
• Problems have already entered the system
• Increased network loading
• Increased server/email server/desktop loading
• Better to catch it as it enters the gateway!

6
What Do Companies Believe?

• I just keep everything on the server
• Too much data on systems slows things down
• Typically only 20 of server data is needed to
  run a company
• Why backup store the other 80 of unchanged
  data?
• For DR why restore 80 of unchanged data?

7
What Do Companies Believe?

• I know what is happening in my systems
• Percentage of spam viruses?
• How much user time is lost to managing email?
• What the exact status is of the systems ?
• Reporting

8
Examples of Record Retention Requirements

• Section 222(5) of the Companies Act 1985
• Records relating to company accounts must be
  retained
• Public companies, minimum of 6 years
• Private companies, minimum of 3 years
• Company Directors and Officers must ensure
  compliance
• Penalties are prison sentence of up to 2 years,
  fine of up to 5,000, or both
• Tax Management Act 1970
• Retention of records relation to employee
  payments
• Including payment made to or on behalf of
  employee I.e. expenses

9
Legal Admissibility

• Civil Evidence Act 1995 (section 4)
• Electronic data is legally admissible in court
• Evidential Weight
• Ability to prove records have not been tampered
  with
• Inability to demonstrate this standard has meant
  lost cases
• BSi DISC PD 00081999 provides a code of practice
  for electronic storage for legal admissibility
• Discovery
• Civil Procedure Rules, Part 31
• In 1996 Norwich Union settled out of court (cost
  450,000) plus legal expenses estimated at a
  further 1,000,000 rather than try and locate and
  provide email evidence in their libel defense
  against Western Provident Assurance.

10
Best Practice Is Easy.

• Ensure an Authentic Copy Digital Signatures
• Must be able to prove that the delivered sent
  emails are exact copies as is stored in the
  Archive
• Ensure that the Archive System is Tamper Proof
• Water tight Archive DB Password protected
  Database
• What happens if the archive media is stolen?
• Encrypted archived emails
• Ensure that no back-doors are available for
  hackers
• Closed system solution
• Business (not user) defined Archive Policies
• Approved internal company archiving policies
• Installs on server, not desktops
• Archives all email according to company policies

11
Best Practice Is Easy.

• Full Audit ability of access and movement
• Must be able to provide reports detailing the
  life of each individual email
• Cradle to grave Audit report per email
• Full search capability
• Must be able to search the email archive on
  content, subject addresses
• Feature also includes and/or/if logic

12
Summary

• 5 Basic Building Blocks
• Manage data
• Find information
• Protect from attack
• Too much data slows things down
• Network
• Servers
• Users

13
Thank You