White Paper Instant Messaging (IM) and Sarbanes Oxley Compliance

Similar documents
White Paper Instant Messaging (IM) HIPAA Compliance

INSTANT MESSAGING SECURITY

The Unofficial Guide to. Instant Messaging. for Executives. Solutions for Enterprise IM management security compliance integration

A new business application, that supports e- mail, IM communication, calendaring and collaboration

Copyright MyPW LLC.

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Virtual Appliance Setup Guide

CORISECIO. Quick Installation Guide Open XML Gateway

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

SPICE EduGuide EG0015 Security of Administrative Accounts

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Securing the Service Desk in the Cloud

European developer & provider ensuring data protection User console: Simile Fingerprint Filter Policies and content filtering rules

Connecticut Justice Information System Security Compliance Assessment Form

Security Solutions

GoToMyPC. Remote Access Technologies: A Comparison of GoToMyPC and Microsoft Windows XP Remote Desktop

Did you know your security solution can help with PCI compliance too?

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Boston University Security Awareness. What you need to know to keep information safe and secure

Building A Secure Microsoft Exchange Continuity Appliance

Secure Web Appliance. Reverse Proxy

10 Must-Follow Rules for Effective. Document Management. 10 Must-Follow. Rules for Effective. Document Management

Privacy Policy Version 1.0, 1 st of May 2016

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

PINsafe Multifactor Authentication Solution. Technical White Paper

SecureGRC TM - Cloud based SaaS

Barracuda IM Firewall Administrator s Guide

Introduction to Google Apps for Business Integration

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

Risk Free Instant Messaging

SHARPCLOUD SECURITY STATEMENT

Ipswitch Instant Messaging

Installing and Configuring vcloud Connector

PRIVACY POLICY. Introduction

Ipswitch IMail Express: A Mail Server for WhatsUp Gold

Dow Corning Uses Enterprise Rights Management to Help Protect Intellectual Property

Encryption Services

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Deposit Direct. Getting Started Guide

Firewalls Overview and Best Practices. White Paper

Cloud Services MDM. ios User Guide

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

How to install and use the File Sharing Outlook Plugin

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

F-Secure Internet Gatekeeper Virtual Appliance

Best Practices for Controlling Skype within the Enterprise > White Paper

11.1. Performance Monitoring

Implementing HIPAA Compliance with ScriptLogic

Virtual Appliance Setup Guide

F-Secure Messaging Security Gateway. Deployment Guide

Inspection of Encrypted HTTPS Traffic

Information Security Policy

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Vulnerability Management: Effective Use Policies and Secure System Architectures for and Instant Messaging

USB KEYLOGGER U USER MANUAL

The Advantages of Security as a Service versus On-Premise Security

How To Upgrade To Symantec Mail Security Appliance 7.5.5

Hybrid for SharePoint Server Search Reference Architecture

Navigating Endpoint Encryption Technologies

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

Product Version 1.0 Document Version 1.0-B

A 123Together.com White Paper. Microsoft Exchange Server: To Outsource Or Not To Outsource The affordable way to bring Exchange to your company.

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Sonicwall Reporting Server

INSTANT CONNECT SERVICE USER GUIDE

VPN. Date: 4/15/2004 By: Heena Patel

Enterprise SM VOLUME 1, SECTION 5.1: MANAGED TIERED SECURITY SERVICES

ITAR Compliant Data Exchange

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Guidance Regarding Skype and Other P2P VoIP Solutions

ADC9521: Surviving Regulatory Compliance in the Virtual Infrastructure

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

Content Filtering Client Policy & Reporting Administrator s Guide

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

Quick Setup Guide. 2 System requirements and licensing Kerio Technologies s.r.o. All rights reserved.

Network Security Policy

ShareFile Security Overview

Chapter 1 - Web Server Management and Cluster Topology

What is Digital Rights Management (DRM) for Documents?

Business 360 Online - Product concepts and features

Cisco Collaboration with Microsoft Interoperability

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Genetec Omnicast Client Applications

FREQUENTLY ASKED QUESTIONS

FTA Computer Security Workshop. Secure

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

FileCloud Security FAQ

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

User s Guide for Polycom CX7000 Systems

Service Schedule for CLOUD SERVICES

Jive Connects for Openfire

Hang Seng HSBCnet Security. May 2016

MultiSite Manager. Setup Guide

NOVELL ZENWORKS ENDPOINT SECURITY MANAGEMENT

Product Brief. DC-Protect. Content based backup and recovery solution. By DATACENTERTECHNOLOGIES

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

Transcription:

White Paper Instant Messaging (IM) and Sarbanes Oxley Compliance - 1 -

Statement of Purpose This document is focused on providing financial companies, and all others bound by Sarbanes-Oxley regulations, with an eye opening description of instant messaging use in the enterprise, and how to ensure its compliance with government regulation. Descriptions about how to effectively manage a corporate IM infrastructure are also covered, as well as ways in which the InterIM product line can provide your company with an easy full featured solution that meets all government IM requirements, at a price that will not break your IT budget. - 2 -

Table of Contents 1AN OVERVIEW OF INSTANT MESSAGING... 4 1.1The Advantages of IM... 4 1.2Corporate IM Growth... 4 2THE SARBANES-OXLEY DILEMMA...5 2.1History and Requirements...5 2.2Compliance Options... 5 2.3Sarbanes-Oxley Resources and Links...5 3ENTERPRISE CLASS INSTANT MESSAGING... 6 3.1Security... 6 3.2Message Logging and Auditing... 6 3.3Instant Messaging Policy Management... 7 4INTERIM IS YOUR SOLUTION...8 4.1Ease of Use... 8 4.2Why an Appliance?...8 4.3The Deviant Philosophy... 8 5APPENDIX A...9-3 -

1 An Overview of Instant Messaging Instant Messaging (IM) provides the ability to interactively communicate via text messages. The concept dates back to the 1960s with the UNIX talk program but has only recently come into widespread use. It started with AOL, MSN, and Yahoo providing IM services to their subscribers. The advantage of IM is that it allows users to communicate informally over the internet in real time. An additional advantage is the concept of presence which allows users to see if the person that they need to communicate with is available, thus avoiding frustrating phone-tag scenarios. 1.1 The Advantages of IM Daily management of a business is a symphony of small decisions. However, if these decisions do not flow freely, they can hold up critical business functions which may result in missed opportunities. Instant Messaging provides an affordable and rapid communications medium that fills the void between the telephone and email. Instant Messaging is the perfect medium for getting quick answers through direct communication, without the time consuming chore of setting up a meeting. Incorporating instant messaging capabilities into your business can actually result in less communications overhead, freeing up time for more productive meetings that focus on issues of greater strategic relevance. 1.2 Corporate IM Growth Instant messaging is quickly becoming the medium of choice for rapid communications in businesses and its use is growing at an astounding rate. In a recent study, the Radicati group has projected that the number of business IM accounts will grow beyond 300 million by 2007 1. However, most companies remain vulnerable to prying eyes and government regulations because they rely on public IM networks. 1 http://www.eweek.com/article2/0,3959,1124698,00.asp projected user base of 1.4 billion with a 3:1 ratio of personal and business users by 2007. - 4 -

2 The Sarbanes-Oxley Dilemma The rules governing the use of instant messaging in the financial industry are often overlooked as firms work tirelessly to comply with the intricacies of the Sarbanes-Oxley act. Sarbanes-Oxley permeates many areas of a business, including instant messaging. In fact, even firms that specialize in compliance often overlook IM, yet the SEC has made clear that IM is bound by the same guidelines as email. 2.1 History and Requirements In 1996 and 1997 the SEC issued regulations that were designed to guide the use of electronic media by financial firms and is laid out in the SEC Rule 17a-4(b)(4). These regulations have been updated in 2003 and now govern the use of instant messaging as well. Instant messaging is considered Correspondence just as email is, and thus records of instant messages must be stored for a period of not less than 3 years. The first two years of these logs must be maintained in an easily retrievable format. The rules do not specifically state that member firms are required to review or approve instant messaging content, however, regardless of the text, the message must be stored. 2.2 Compliance Options Compliance can be achieved in one of two ways: Gateway solutions capture instant messaging traffic and log it to a database. These solutions do not provide an instant messaging server however, and thus, some type of server will be needed. If public services are used, they will not provide any security and information will be viewable by third parties. Server solutions provide an instant messaging infrastructure, but depending on the product, these systems my not be secure, log messages, or provide any type of auditing or management tools. InterIM is a combination of these approaches and provides everything a company requires to run an enterprise class system in a single easy to use appliance. 2.3 Sarbanes-Oxley Resources and Links Additional information on the Sarbanes-Oxley Act and how it pertains to instant messaging can be found at the following web sites: 1. http://www.zantaz.com/resources/regulatorycompliance/sec_17a4.pdf This is the section of the Sarbanes Oxley act which requires the retention of communications records. See section b item 4. 2. http://www.nasdr.com/pdf-text/0333ntm.pdf This is the official NASD notice to its members regarding IM. 3. http://www.nasdr.com/news/pr2003/release_03_026.html This is a news release from the NASD describing the IM requirements. 4. http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,82284,0 0.html Article sites how consumer grade IM solutions will not satisfy Sarbanes-Oxley requirements. Enterprise systems are needed. 5. http://www.wallstreetandtech.com/story/regulatorycompliance/wst20030717s0017 Wall Street Journal Article on IM compliance with SEC regulations - 5 -

3 Enterprise Class Instant Messaging The InterIM product line, by Deviant Technologies, Inc., provides an internal instant messaging server, as well as compatibility with the major public IM networks. There are three critical areas of IM management that ensure Sarbanes-Oxley compliance and provide IM administrators with the necessary tools to successfully administer a corporate IM solution. These are: Security Message logging and auditing IM policy creation and management 3.1 Security Security has been and shall remain a primary concern in all IT systems, regardless of the type or purpose. Instant messaging can be no exception. In fact, many employees believe that if they are sending an instant message to someone in the next office, that that message travels from their computer to the person s computer in the adjacent office. This is not true, in fact, that message travels out of the company to the servers administered by the public IM network, then back to the person in the nearby office, the whole time as unencrypted text. Any proprietary or confidential information is available to be viewed by those with the skill to do so. This security hole has lead many IT managers to either disable IM for employee use, or take the risk of compromising private information. InterIM provides a low cost solution for ensuring your company s private data remains private. InterIM provides an internal instant messaging server boasting 512 bit default encryption on your internal instant messaging network that can be easily increased to as high as 2048 bit. Yet to provide maximum connectivity between coworkers and customers, InterIM maintains compatibility with the popular public IM networks yet cannot provide encryption on these channels. Ensuring that confidential internal communications are channeled over the internal network, instead of on public networks can be achieved through effective IM policy management and is discussed in section 3.3 of this document. 3.2 Message Logging and Auditing The ability to log and audit instant messaging traffic on your corporate network has become a necessity, not an option. Sarbanes-Oxley dictates that messages must be stored for three years, and should be easily retrievable. In order to effectively log all instant messaging traffic, a proxy of some kind must be set up. This proxy acts as an IM gateway. The corporate firewall is then configured to prohibit all IM traffic except that which originates from the gateway. In this way, all IM traffic passes through the gateway where it can be logged and stored for auditing purposes. InterIM logs all instant messages, whether internal or on the public IM networks, to a relational database where the messages are archived and can be searched and audited, meeting the requirements for message archiving as set by the SEC and mandated by the NASD in the Sarbanes-Oxley act. Additionally, InterIM provides a variety of tools for parsing the data within the logs. Data can be audited through a number of customizable search and filtering tools allowing for common searches to be saved for reuse. Typical Enterprise IM solutions provide only one piece of the puzzle, often requiring an external database and tools to store and analyze instant messaging traffic. InterIM provides all these features in an easy to use, plug and play appliance. Our patent pending, all-in-one solution delivers more features than our competitors and greater ease of use at a fraction of the cost, giving our customers a superior solution which - 6 -

delivers a return on investment in weeks, not years, by reducing installation and management time for your IT staff. 3.3 Instant Messaging Policy Management Security and Message logging are critical to managing your instant messaging infrastructure, yet, without a sound and manageable policy, there is still an opportunity for employees to circumnavigate or bypass the safeguards in place. Instant messaging policy management tools allow administrators to monitor IM usage and notify them when a policy has been violated so that they may take proper action. There are three steps to successful policy management, policy creation, policy management through the use of tools, and policy enforcement. Policy creation and enforcement differ from company to company depending on the level of security required and the sensitivity of the data on the network. InterIM provides administrators with an array of tools designed to manage and enforce their IM policies. InterIM s key word notification tool allows administrators to monitor all messages on the non-secure networks for sensitive terms or phrases such as social security numbers or confidential project names. InterIM s reporting tools enable administrators to monitor instant messaging usage, for example, how much time is employee X spending on the internal system vs. public systems. InterIM s patent pending per-user-transport administration allows administrators to grant access to public networks for power users, while public network access for others. - 7 -

4 InterIM is Your Solution SEC compliance has become a thorn in the side of many financial firms over the past year. We at Deviant Technologies recognize and appreciate this, and as such have worked to design a product that will bring firms into compliance with the SEC s guidelines for instant messaging in half an hour or less (see appendix A on InterIM Installation). InterIM provides everything a firm needs to comply with Sarbanes-Oxley regulations in an easy to install and administer, plug-and-play hardware appliance. InterIM can get your firm up and running on a compliant and secure instant messaging platform now, not in weeks. Our instant messaging solution provides a high level of encryption, logging and auditing capabilities, instant messaging policy creation and management tools, all on a hardware platform that has been optimized for speed and stability at a price far below our competitors. In fact, InterIM can save customers between 50%-80% off of our competitors solutions. 4.1 Ease of Use InterIM is designed to be up and running in under 30 minutes. Setup requires a few simple steps and can be performed by someone with little or no IT experience. Simply start the server, give it a name and address, import users from your existing directory server via InterIM s easy to use Directory Import tools, and your company is ready for secure, archived, instant messaging that is compatible with all your favorite Public IM networks including AOL, Yahoo!, MSN, ICQ and Jabber instant messaging services. Future support for Short Message Service or SMS messaging is planned so messages can be sent to and from cell phone users. 4.2 Why an Appliance? Our goal is to provide our customer with the highest quality product at a price that will deliver a rapid return on investment. Integrating the software and hardware provides customers with piece of mind, knowing that there will be no hardware issues to attend to, no expensive operating system to install and configure no database integration headaches, and no security holes to patch. InterIM comes with its own firewall which blocks any traffic that is not required to operate the unit, and since it runs on the Linux operating system, InterIM is not susceptible to virus attacks. Overall, InterIM provides industry leading features at affordable prices. Compliance itself is already a headache; don t let your solution become one as well. Call a Deviant representative at 1-866-DEVIANT (338-4268) today to order or learn more about our InterIM line of server appliances, or visit us online at http://www.devianttechnologies.com. 4.3 The Deviant Philosophy Deviant Technologies believes that our customers should not be shackled by expensive solutions to their regulatory problems. Our aim is to provide enterprise class products to businesses of all sizes at prices they can afford. InterIM is no exception. In short InterIM is easier, less expensive and more secure than the majority of competitors. - 8 -

5 Appendix A InterIM Installation Installation of your all InterIM appliance is a breeze. Typically, customers with little IT experience are able to have it up and running in 30 minutes or less. Provided below is a typical installation sequence. Steps may differ, and some may be skipped al together depending on your network. Step 1: IP Address and DNS In order to get your InterIM Appliance on the network, it must be given a network address. By default one can be obtained automatically. Alternatively, one can be manually provided by simply entering the address via the keypad on the front of the appliance. Step 2: Connect to the Web Administration Interface To connect to the appliance for administration, open your web browser and enter the IP address shown on the appliance display. Once connected, enter the default admin user name and password. Once logged on, create a new administrative username and password. Step 3: DNS This step is for convenience. Once the IM address is installed, and you have access to administration pages, an alias should be set, and a record made in your DNS for the name/address you have given the appliance. Step 4: Firewall Configuration In order to have your InterIM Appliance log all instant messages, those messages must pass through the appliance. To ensure this, administrators should block all IM traffic from all addresses except the InterIM appliance address. Access to the public IM networks can thus only be reached through the InterIM appliance, and only if access is granted by the administrator. Step 5: Directory Import InterIM provides the ability to import your user base from your existing LDAP-compatible directory server. Simply point the InterIM appliance at your directory server, and import. This can typically be done in 5 minutes or less. Templates are provided for certain directory schemas such as Microsoft s Active Directory. - 9 -

Step 6: Security Configuration By Default InterIM appliances come with 512bit encryption; however, Deviant Technologies recommends that all administrators create a new encryption key with the level of encryption that their organization requires. Use of existing certified keys is supported. Please see our Security page for more information on this topic. Step 7: IM Policy Creation InterIM provides a broad array of IM policy creation and management tools. These tools are designed to provide maximum flexibility to our customers. By default, access to external IM networks is off. However, access can be granted to users, groups, or your enterprise with a few clicks of the mouse. Logging and auditing policies are also easily configurable. For more information on IM Policy creation and management please see our IM Policy Management page. Step 8: Rollout Now that your corporate IM policy has been created, rollout of the IM solution can be performed. InterIM makes this easy by providing a client download page on the appliance. Simply send an email to your users notifying them of the new system and with a hyperlink to download the client. Links can also be placed on internal web sites. Client installation is simple and nearly all operating systems are supported. See our InterIM Client page for more information. Installation of your InterIM Appliance is now complete! For more information on our installation process or our appliance in general please email us at info@devianttechnologies.com or contact us at 1-866-DEVIANT. - 10 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information