E-mail policy management grows more complex every day as organizations try to protect their business communications from spam and viruses while staying current with federal and state regulatory requirements. To ease the complexity of managing their e-mail compliance initiatives, an increasing percentage of companies with regulatory burdens have opted to employ Managed Service Providers [MSPs] to ensure the integrity and security of e-mail before it enters the corporate network and manage the retention and archiving of messages.
Outsourcing these services "may be able to offer cost and security advantages because on-site enterprise hardware, software and dedicated IT resources are not required and messages are secured outside of the enterprise's infrastructure, where they can do no harm," said Maureen Caplan Grey, a research director at Gartner.
Other possible benefits to the managed service model include:
Freeing up enterprise IT to focus on more pressing matters
Rapid updates of anti-spam and anti-virus definitions
Ease of planning and cost predictability
For IT departments, the decision to outsource any function is based on the interplay of three primary criteria: control, performance, and cost and resource savings. When considering different vendors, confidence in a service provider's stability is critical as well as the range of services offered.
The expertise and guidance of the Gartner Group played a significant role in the search for an MSP to manage the e-mail environment for the One America Life Insurance Company of Indianapolis, according to senior systems analyst Anna Shaw, who said the company decided "we needed to do things differently" in April of 2004.
"We'd had an appliance hardware solution to manage spam and virus filtering and it wasn't working," Shaw said. "The virus protection worked pretty well, but it was difficult to maintain and upgrade, and very time intensive. When it came to spam defense, it would take full-time people to keep inputting data to keep spam out, especially dealing with false positives to keep the e-mail we really needed. We were having mail server problems every Monday because of all the advertising. It was just too much overhead for us."
Shaw's contact at Gartner suggested a few vendors as well as some questions to ask: What kind of licensing structure did they have? What methods did they use to filter spam? Who was responsible for updating filters?
Resource Savings And Customization
"Our resources were tight and we didn't want to spend someone's time continually updating software and maintaining hardware," recalls Shaw, who chose to implement Postini's Perimeter Manager, an extensible e-mail security platform with a common, web-based management interface. In operation since 1999, Postini has redundant data centers in North America and Europe and processes more than three billion e-mails every week.
"What really helped us make the decision was that we still had the ability to go to their site and customize information," says Shaw. "We maintain the ability to make decisions on how to operate. One example is a mass mailer that we use, so we are actually able to go into the system and configure it to allow in that mail."
Postini senior director of marketing Andrew Lochart said, "One America is a great example of the thousands of customers that have switched to Postini after trying an internal implementation of software or an appliance. They learn that by switching to Postini, they can have it all: control, flexibility, and accuracy, all while vastly reducing administrative overhead."
Companies regulated by the Securities and Exchange Commission, or bound by the rules of organizations such as the National Association of Securities Dealers (NASD), face an additional layer of concern in their compliance initiatives, according to Jeremiah L. Glodoveza, marketing communications manager for FrontBridge Technologies Inc. "Regulations such as SEC Rule 17a-4 and NASD 3010 include explicit e-mail and IM monitoring and retention requirements that require archival tools. FrontBridge Technologies combines its mail filtering and policy enforcement services with e-mail archiving technologies to provide organizations with a layered approach to compliance that includes not only anti-spam and policy management, but also a fully-encrypted transport layer security network and e-mail archiving," Glodoveza said.
Ease The Audit Pain
In September of 2003, the RSM EquiCo global investment-banking firm had received notice that the National Association of Broker Dealers (NASD) would be conducting an annual process and procedures audit early in 2004. "E-mail retention and monitoring was high on the list of items to review," said RSM EquiCo chief compliance officer John Dal Poggetto.
The firm had been using a rudimentary system of archiving e-mail based on simple features within the Microsoft Outlook program, but Dal Poggetto realized that this would not meet the NASD's stringent requirements for supervising, monitoring, retaining, and reporting on e-mail. RSM EquiCo chose an outsourced service from Message Rite, which is now owned and operated by FrontBridge, headquartered in Marina de Rey, CA.
"It was a seamless transition, essentially getting their settings and turning it on," said Dal Poggetto. "We timed the implementation well. We were audited within four months, and what was supposed to be an incredibly stressful moment resulted in a very simple review. The system did everything it was supposed to do. It was amazingly efficient.
"Every e-mail that goes through our company is grabbed by FrontBridge," continued Dal Poggetto, who reviews several thousand e-mails every week; since the service is web-based, he can review them from home, abroad, or anywhere. "We are a fairly closed organization, and we were concerned because we deal with a lot of sensitive information, but our CIO evaluated their technology and felt comfortable that privacy would be protected."
Implementation of the service has resulted in two internal adjustments, according to Dal Poggetto: HR issues have been addressed that would have gone unknown, and the firm has been able to easily retrieve e-mails to use as evidence in court proceedings. "The service has reduced our costs, and because of the pricing model, I no longer have to update servers. With 50 people, that is a huge savings," he said. "Customer service is excellent as well. Someone always answers the phone when we call."
In January 2004, Brecek & Young Advisors Inc., a mid-tier independent broker dealer started full implementation of a managed service because the company's e-mail system had been taxed to the limit. Mailboxes had become de facto filing cabinets for the company's 550 employees, and systems administrators had to impose strict storage quotas. "The system we had in place required that all e-mails be printed out before being archived, and that didn't seem workable," said B&YA chief compliance officer Tom Delaney. In addition, a policy of purging e-mail from the server periodically would not satisfy the strict regulatory requirements imposed by oversight agencies, such as the SEC and the NASD.
When considering service providers, Delaney said the firm held a small version of a beauty contest, and price was a big issue. "Independent broker dealers work on small margins. Price is a critical component. Message Rite [now owned by FrontBridge] had taken that into consideration when they were pricing their model," he said.
"From a compliance side, we had to have a reasonable system to keep from violating rules," Delaney said. "If our supervisory procedure said to do something, in the past we hadn't been able to detect if it had always been done. Our new system has a very intuitive graphical interface without a lot of complication. And it works. We ran a beta test for a few months to capture e-mails to make sure it would happen. We knew right from the beginning that this would be the platform we wanted to use."
"The audit of our messaging system was painless. We were able to generate the required reports in short order and show that our e-mail communications were fully archived and accessible upon request," said Delaney, who appreciates the ability to customize the system to add or delete terms: "Each OSJ [Office of Supervisory Jurisdiction] is responsible for reviewing and approving so many e-mails. We only read a sample, but sometimes we will customize our supervisory terms to spot particular types of e-mails."
The application is hosted by FrontBridge, and implementation was easy, according to Delaney. There was no interruption to e-mail service and no hardware to purchase and install. "It is all done at the server level and is completely transparent. The more hoops someone has to jump through, the harder it is to embrace the program, but this one doesn't have many," he said.
Brecek & Young underwent an audit in June 2004. "When the auditors asked to see the e-mail, it was easy to give them access," Delaney said. "What was interesting was that e-mails that might have caused concerns were noted and commented on by each of the registered principals. My experience had been that this had always been a long, tedious process, but it was very clean for us. Registered principals of the firm had already dealt with them. That ultimately spoke to the system's success. It was an area of non-concern for us during the audit, and the regulators had an easy time using the system, as well."
From a regulatory compliance perspective, archiving has been a particularly fascinating topic over the last year, according to the Gartner Group's Senior V.P. Matt Cain, who participated in an online Web cast April 22 regarding E-mail policy. He explained that finding the right vendor might not be easy because of acquisitions and consolidation in this market. However, more and more firms that began as e-mail security experts see regulatory compliance as the next significant market opportunity.
Shari Weiss is a freelance writer in Northern Califonia.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.