Does SOX provision email archiving?
Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention.
Many organizations have adopted the COBIT framework to guide their security program for SOX, since many auditors have informally deemed that framework broad enough to ensure strong financial controls.
Regarding email retention, SOX section 802 requires that organizations retain auditing information for a minimum of seven years. This includes electronic records, which presumably encompasses email, thus enterprises are best off retaining email for at least seven years. This will also help with emerging e-discovery regulations, which also mandate that electronic information be available for several years.
More information:
- Have a well-planned data retention policy and ease e-discovery preparation.
- Learn to aid compliance efforts with penetration testing.