Email Archiving & Forensic
Compliance
Navigation * Home / Solutions / Email Archiving & Compliance / Forensic Compliance Forensic Compliance Forensic compliance means treating all data as potential evidence from the moment it is created. Don't confuse this with 'email archiving' or 'email back-up'. A Forensic Compliance System (FCS) is designed to collect and retain data in the expectation that some or all of the data may be required as evidence in future legal actions. An FCS will always consist of both hardware and software supplied as a sealed, validated computer (the appliance). One of the key principles of Forensic Compliance is that records may not be deleted or altered in any way within a stated retention period. A forensic record is a complete record, otherwise it has little evidential weight. Definitions: Forensics is the use of science or technology in an investigation and the establishment of facts or evidence in a court of law. Compliance is an act or process of complying with a demand or recommendation. A compliant organisation is an organisation that obeys all the relevant legal, regulatory, judicial, and corporate governance requirements, in addition to any applicable standards What is a Forensic Compliance System? One of the key principles of Forensic Compliance is that records may not be deleted or altered in any way within a stated retention period. A forensic record is a complete record, otherwise it has little evidential weight. It is also essential to be able to demonstrate that records have not been interfered with once stored. A Forensic Compliance system will be able to demonstrate (e.g. by means of digital fingerprint) that the record is in the same state as when originally captured. This should be validated by the simultaneous collection of full metadata, independently verified with time/date stamp from an NTP trusted timesource. Records should be stored and protected in a non-portable format, and should be encrypted using an industry standard encryption method. A full audit trail must be recorded of all access to the records which must include; name of person logged-in, date and time accessed, stated reason for search, search terms used, list of records produced from search, individual records selected for inspection, records forwarded out of FCS, date/time session ended. These accesses to the system should be recorded, stored and audited in a format that prevents alteration or tampering. The FCS must send messages to at least three named persons in the organisation when an access has been made that details the full audit trail, these named persons being part of the validation process carried out by the TTP at time of installation. It is mandatory to ensure that administrators do NOT have access to data - the functions of 'Privileged User' and 'System Administrator' must be strictly demarcated. If selective deletion of particular content (e.g. child pornography) is required under a court order, the deletion should only be possible by a trusted third party (Cryoserver use KPMG), NOT the organisation itself. The above tenets are appropriate for most customers, but some industries may need an even higher standard: An organisation may need to prove that it could not have had access to the data. This means Cryoservers should be placed in secure data centres to which the organisation does not have access. The organisation must have no logon rights to the FCS appliance(s) holding the record, only to the secure interface provided by the FCS mounted on that machine. A trusted third party (TTP) must install and validate the FCS, and must restrict access to individuals or job titles of those within the organisation that have the rights to access the entire repository of records. Real-time replication is the only assured method for ensuring data integrity - if one server catches fire or suffers some other catastrophic failure through which data cannot be recovered then it is essential that another repository exists that holds exactly the same data at any one time. To ensure that catastrophic failure does not occur to both Cryoservers at the same time (for example an aircraft crashing on the Data Centre) we advise more than seven kilometres separation between mirrored Cryoservers. If you would like to contact a member of our consultancy team today please either telephone or email; Tel: +44 (0) 1622 618 752
|
|
Further Resources Use of email in court proceedings Forensic Compliance System (FCS) vs. Archiving Email Compliance & Archiving IT issues The law and legislative compliance Achieving compliant email and archive solutions Email receipt - proof of delivery? Is E-mail your corporate Achilles' heel? Complimentary White Papers supplied by Kalypton
|
