Companies have a legal obligation to archive their business-relevant emails for long periods of time in such a way that they cannot be modified. An audit-proof email archive is therefore essential for the compliance of information systems. To ensure this, IT analysts such as Gartner recommend taking advantage of cloud or managed services. These archiving solutions allow companies to store emails reliably in an audit-proof way for long periods of time. Messages saved in this way cannot be altered and are protected from unauthorized access, yet can be retrieved within fractions of a second – even from amongst huge volumes of messages.
Below you can find a summary of the individual things that you have to pay particular attention to when dealing with audit-proof email archiving, including the requirements that a managed service must fulfill:
1. “Each document must be stored in accordance with the stipulations outlined in legal and internal requirements.”
Archiving thus has to be carried out by a managed service in real time and must include both internal and external emails.
2. “The archiving must be complete – no documents may be lost on the way to the archive or within the archive itself.”
Complete and secure archiving includes not only saving the emails themselves, but also archiving all email attachments correctly.
3. “Each document must be archived at the earliest possible time-point that is organizationally feasible.”
Archiving done by a managed service should occur automatically as soon as the email is received or sent.
4. “Each document must be identical to its original and archived in such a way that it cannot be altered.”
The archive system should be designed and configured in such a way that tamper-proof storage can be guaranteed. Manual deletion or alteration of archived emails must be prevented completely in all cases.
5. “Each document may only be viewed by appropriately authorized users.”
A managed service must use reliable access controls to ensure that only authorized individuals can look into the archive (for instance, according to the four eyes principle).
6. “Each document must be retrievable and reproducible within an appropriate period of time.”
To facilitate speedy access to the email archive, a managed service should allow full text search throughout the entire archiving period.
7. “Each document may only be destroyed or deleted from the archive following the defined storage period.”
To achieve this, an archive system should be configurable in such a way that emails are automatically deleted following the end of the archiving period.
8. “Every action taken in the electronic archive system must be recorded in such a way that authorized persons can track and trace all changes.”
A managed service should record all instances of access very precisely in an audit log. This means that in addition to the user ID it is also essential to record details of the activity (such as searching for or downloading an archived email) and the exact time of access.
9. “The whole organizational and technical archiving procedure can be checked by a third-party expert at any time.”
When choosing a supplier of managed services, companies should always select a reliable, transparent and auditable provider. This is crucial for ensuring that the data processing is done according the applicable local data privacy regulations.
10. “In the case of any migration or changes to the archiving system, it must be ensured that previously defined principles are still complied with.”
DTrouble-free migration to an archive system or the option to export from the system must be ensured technically. This includes support for all common data formats, such as PST (Outlook) and NSF (Notes).
In addition to these general guidelines, it is also necessary to consider specific company-internal regulations. An archiving service provider should therefore be able to respond flexibly to special data privacy guidelines applicable to the works council or job application documents, and advise customers appropriately.