When auditing the archiving process of emails the IS auditor should pay the most attention to?

0% found this document useful (0 votes)

2K views32 pages

Bagian II IT Governance

Jump to Page

You are on page 1of 32

You're Reading a Free Preview
Pages 8 to 19 are not shown in this preview.

You're Reading a Free Preview
Pages 24 to 29 are not shown in this preview.

Reward Your Curiosity

Everything you want to read.

Anytime. Anywhere. Any device.

No Commitment. Cancel anytime.

Email archiving is the process of storing immutable copies of email messages in a digital archive, enabling audit teams to easily search, index and access any and all emails sent or received by an organization. 

Email archiving is an important tool for teams, especially in the cloud. The number one use case for email archiving is compliance; many industries must keep copies of emails in place in case of audits or legal investigations, and some compliance standards require that these copies be stored for a lengthy period of time.

But email archiving has other benefits for all organizations: it can provide business continuity if email networks go down, help with auditing in case of any litigation, and help to prove intellectual property ownership in copyright disputes. 

Broadly speaking, email archiving is a great way for businesses to keep on top of storing email communications, even after email networks have moved from on-premises to the cloud. As Mark Mulcahy, Technical Sales Director at Waterford Technologies, told Expert Insights: 

“Our [archiving] software helps you better protect your data. We are storing terabytes and terabytes of email data, which means we can understand it, we can clean it up, and we can move it out of harm’s way.”

There are a range of archiving solutions on the market helping organizations to securely store their email communications. To help you find the right solution, we’ve put together a checklist of the top six features you should look for in an email archiving solution. 

You can read our comprehensive buyers guide to the top 10 email archiving solutions here. 

1. Ensure Legal Compliance 

The most common use case for email archiving solutions is to ensure compliance with auditing and data regulation requirements. As such, ensuring the solution you choose enables full legal compliance should be the first and most important feature that you consider. 

This should include ensuring that all emails are automatically archived, along with attachments and meta-data that outlines where the email was sent, at what time, and to whom. It should also include details on replies, email chains and forwarding. 

Archived emails should also be fully immutable. Nobody should be able to edit or tamper with archived data; this is an important stipulation in many legal regulations.

Compliance also means auditing who has access to the email archive. The best archiving solutions will provide granular permissions management with auditing over when the archive has been accessed.

2. Data Security

Another important part of ensuring legal compliance is ensuring the archived data itself has tight security controls. Archived emails should be fully encrypted to ensure malicious threat actors are not able to compromise any sensitive information that may be held in email records. 

We recommend looking for a system that protects archived emails when in transit and at rest. Proofpoint recommends that any data centers used to house cloud archived emails should be SSAE-16 SOC 2 Type II certified.

In addition, there should also be strong security controls to govern who has access to the archive. As previously mentioned, look for a solution with granular permissions management for accessing the archive, with comprehensive auditing. We also recommend that any access to the archive is reinforced with comprehensive multi-factor authentication. 

Finally, we also recommend looking for a solution that has multiple layers of backup in different file formats. When storing backups of any type of data, you should follow the rule of “3 2 1”: store at least three copies of your data in two different locations, and at least one copy should be in a different format or medium to the others. 

This means if one archive is corrupted or lost, you can easily recover data by switching to another backup method. Each one of these should again be secured with high levels of data security. 

3. Strong E-Discovery Performance

Arguably the most important feature on this list is the ability for auditors, admins or even end-users to be able to easily search the email archive to find data when needed. It’s great to have a legally compliant platform with excellent data security, but if the platform is impossible to use to actually find and export data when needed, the platform has failed. 

So, a key feature to look out for is a well-designed user interface that should be simple to navigate and quick to return search results. A system that takes hours to search through an archive is not scalable for organizations that need to retain data over a period of years. 

But as well as being simple to use, a good archiving platform will have comprehensive e-discovery functionality to return the results you actually want to see. You should be able to search on granular pre-defined filters, such as sender, recipient, date, and subject line. You should also be able to easily export particular emails and chains when needed, without having to go through a costly or time-consuming process. 

This in and of itself is important also to the compliance use case. If auditors are unable to use an archiving system to find any emails related to a litigation case, for example, then it’s possible you could breach compliance regulations.  

In addition, the e-discovery archive should also be available even when your email network is down. This is important in ensuring business continuity, giving users access to their inbox at all times. 

4. Cloud-Based Archiving

There are many ways that email archiving can be deployed across an organization, but for most businesses we recommend looking for a cloud-based email archiving solution.

Most organizations today use cloud-based email platforms such as Microsoft 365 and Google Workspace; cloud-based email archiving solutions can integrate natively with these platforms, speeding up the deployment process and saving businesses valuable time.

In addition, cloud-based archiving can also be more cost effective and reliable, with fewer outages and downtime than legacy on-premises alternatives. Storage costs can also be lower with cloud-based solutions, and cloud-storage is often more scalable.

However, some organizations may be already using an on-premises email archiving solution but looking to move to the cloud. In this case, we recommend looking for a cloud-based provider with low costs for important legacy data, or using a hybrid email archiving approach, choosing a provider that offers both an on-premises and cloud-based solution. 

Some organizations may also need file archiving alongside email archiving; in this instance, we recommend looking for an email archiving solution that also offers file and data archiving. 

5. Flexibility And Legal Hold

Legal hold is an important factor to consider when choosing an email archiving provider. This is the process of storing emails in anticipation of them being used in a litigation event or audit. It’s important that whichever email archiving solution you choose offers legal hold, covering the period of time you need. 

Flexibility more broadly is an important aspect of email archiving. It’s important to choose a flexible service that stores emails for as long as you need them––we recommend a minimum of ten years­­––but many businesses will need to archive important emails for far longer. 

However, over such a period of time, storage costs can become expensive, especially for organizations heavily reliant on email. For this reason, it’s a good idea to look for a service that only stores certain important emails long term, rather than spam messages like newsletters. Less important, external emails may only need to be archived for short periods of time, perhaps 12 months.

The best recommendation we can give for this particular point is to consider all the storage costs associated, along with your organizations’ particular use cases and compliance requirements, and look for a service flexible enough to meet your needs.

6. Cost And Open Archiving Format

The final thing to look for in any archiving solution is the cost of importing and exporting data, and the archiving format. For many organizations email archiving represents a long-term commitment––this is not a solution you are likely to swap out on a regular basis. 

For this reason, it’s a good idea to ensure that costs associated for migrating data into the archive, exporting data from the archive, and long-term storage costs are within your organization’s budget. 

It’s also a good idea to check that the archiving provider you choose offers an open archiving format, so if for whatever reason you do need to export data into a different system, it’s not locked to a proprietary archiving system or data type. 

Exporting data to a competitor’s archiving system can also have hidden costs, so it’s a good idea to thoroughly check the small print on any archiving solution you are considering. 

Summary 

Choosing the right archiving solution is not an easy decision: it involves sensitive data and represents a long-term commitment, often spanning many years. 

Before making a final decision, be sure to look at expert reviews, end user reviews, and get a demo of the solution to make sure that it’s intuitive and easy to use.

For further help choosing the right email archiving solution, you can read our comprehensive buyers guide to the Top 10 Email Archiving Solutions here. 

Joel Witts is the Content Director at Expert Insights, meaning he oversees articles published and topics covered. He's an experienced journalist and writer, covering cloud business technologies, cloud security, information security and cybersecurity, and conducting interviews with hundreds of industry experts. Joel holds a First Class Honours degree in Journalism from Cardiff University.

What is the most important part of an audit?

What must an auditor do in an audit?

Which of the following is the most critical step when planning an IS audit?

What are the important factors that auditors should consider while carrying out auditing of a company?