Contents |
Snapshot on a page
Highlights
CS4 is an international financial services organization with over 100,000 internal and external Lotus Notes/Domino seats worldwide. The email system is critical for the company to communicate to customers and internally and an integrated part of normal workflow. Email is considered an acceptable form of completion of a contract/transaction. There are direct legal liabilities when email is used from failure to protect information, spam applications being launched within an email and “phishing” to another site.
Over 1 million emails a day are processed on IBM mid-range servers with CLARiiON storage, of which over 80% are spam. CS4 is heavily regulated and needed to archive to reduce legal risk and for compliance reasons. The CS4 treasury/trading area is mandated to be able to recreate any document or information (voice, video etc) within 48 hours of the request. In the other financial services areas there is a required to retain all legal documents for seven years, including email. An email archiving system was justified as a compliance requirement and part of doing business.
EmailXtender, EnterpriseVault and Iron Mountain were considered as solutions for email archiving. Iron Mountain was implemented for all corporate systems except trading, where EMC’s EmailExtender was chosen to meet an earlier implementation requirement.
Original Email Snapshot
IBM Lotus Notes meets the security requirements of international financial services, particularly the ability to encrypt all messages and if necessary in the future the ability to encrypt all disks. The budget for email and email storage including staff is approximately $25 million. Veritas software manages the storage environment including email archiving.
The email system runs on Lotus Notes/Domino and supports over 100,000 mailboxes (internal end external) with a 180 day online retention. Storage is limited to one gigabyte mailboxes, but in many cases senior level executive go well beyond this. Users can store emails offline to folders. Emails are prioritized by size of file sent. The trading area is an exception where all data is retained “online” indefinitely for immediate retrieval for compliance reasons. Over ten thousand Blackberries are used as email clients.
Symantec antispam products are used on the client. External service providers (Verizon with Messageware scan) are used to manage email scanning inbound/outbound as well as the Tumbleweed spam products in some geographies.
Pain Points
- When emails became accepted as legal documents, and there was no process for keeping them for seven years to be in compliance
- Could not ensure all emails were retained and risked being out of compliance
- Needed to be able to retrieve all communication (email, messaging, voice mail, video) and retrieve it within 48 hours to comply with the SEC rule17a-4 for trading
- Needed rapid implementation of email archiving to comply with SEC rule17a-4 for trading
- There was a strong requirement to pass internal and external audits in all geographies in order to retain the trust of regulators
- Users felt that email archiving was yet another IT constraint to doing business efficiently
Solution Strategy
- CS4 implemented EMC’s EmailXtender for the trading division because (at the time) it offered the shortest implementation time
- Email journaling was turned on for all emails involving trading
- Iron Mountain was selected because CS4 was already using them for offsite business continuity storage. This meshed with the core requirement of ensuring that there were cast-iron processes and procedures to retain all emails and ensure that they could demonstrably be retrieved unchanged. Although the functionality from an email point of view was not as high as other solutions, the tight and secure integration into existing Iron Mountain procedures mattered much more
- After the SOX legislation, journaling was turned on for all email, ensuring that all emails would be captured
- The email archiving and monitoring policy was issued by the CS4 compliance group to ensure all were formally to adhere to the new policies
- Users were required to tidy up mailboxes
- Rolled out worldwide region by region
- User training on compliance issues was completed across the whole company
Adoption Issues
- CS4 used in house IT project managers to coordinate the technical aspects.
- The IT Risk management group coordinated the audit, compliance and legal groups on the team to gather requirements
- The legal and compliance groups established the parameters and the rest of the team created technical solutions and business processes and to meet these requirements.
- CS4 primarily used mainly in-house resources, with some support from vendors to implement best practices within their product line and train the operations group
- Now stable system, with no major requirement unless there are new regulatory requirements
Benefits
- The key benefit for the EmailEtender system for the trading group was early implementation
- The key benefit of the Iron Mountain solution was a clear separation of email functionality from archiving functionality. The Iron Mountain solution provides very strong processes and procedures
Vendor Proposal | Advantages for CS4 | Drawbacks for CS4 | Overall CS4 Assessment |
---|---|---|---|
EMC EmailXtender | At the time of the decision EMC was a leading vendor, EMC’s service ability to ensure early implementation for trading group | Weak integration with backup, weaker immutability | *** |
Enterprise Vault” | Good functionality for email users | At the time of the decision, KVS was a small company (subsequently bought by Veritas and then by Symantec), weak integration with backup, weaker immutability | ** |
Iron Mountain | Ability to recreate email and attachments, policy and procedures to guarantee immutability, strong integration with current archiving procedures, physical separation from company, outsourcing reduces effort to keep up with current regulatory changes, outsourcing increases credibility of immutability in court | Archive data not directly accessible by user | **** |
Conclusions
Wikibon draws the following conclusions from this case study:
- CS4 achieved early implementation of its email archiving for its trading group
- For the role-out of email archiving for all geographies, CS4 put a higher importance on archiving functionality over email functionality.
- Archiving functionality has to include provenance and ability to show immutability to a court of law
- The emphasis on integrating email archiving with the business continuance and other archiving functionality has ensured robust policies and procedures outsourced to Iron Mountain
- The arm’s length relationship between CS4 and the outsourcer means higher credibility for demonstrating compliance with procedures
The emphasis by CS4 on archiving functionality is prescient in the light of recent court decisions (see the [Admissible? Not necessarily| “Admissible? Not necessarily”] Wikibon contribution). The strong role that the compliance and audit functions played in defining and architecting the solution has ensured robust archiving practices have been followed.
Overall, organization should ensure that the quality of archiving functionality as the primary decision criteria. Email functionality is an added bonus, but can be achieved separately from archiving decision. Trying to integrate both email functionality and archiving functionality to save storage cost will probably lead to compromising the archiving functionality, and add significant risk to the organization.
Email archiving is at heart a risk reduction initiative. The organization of the project and the project objectives should clearly reflect that.
Legal: © Wikibon 2007. This document is copyright protected by Wikibon and does not fall under the GNU general license terms for Wikibon.org. Links to this article from external sources are allowed, however any other re-distribution of this content for commercial purposes is strictly prohibited. Please contact Wikibon for more information.
The cases cited herein are real however the name of the customer (CS4) is fictitious. Wikibon case studies are developed independently and their development is not initiated for or funded by any single company. Wikibon reports actual customer experiences and results with no attempt to emphasize any one vendor’s strengths or weaknesses. Read the full disclaimer.