Re: Monitoring access

Tech-Archive recommends: Fix windows errors by optimizing your registry

I don't have the text, but Microsoft does.

Supporting Regulatory Compliance with Exchange Server 2003
Published: April 19, 2004
* *
Download
Download Compliance.doc
191 KB
Microsoft Word file
* *
Summary

Such regulations as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and SEC
Rule 17A- 4 set new data retention requirements for organizations,
particularly in the financial services and healthcare industries.
Exchange Server 2003 makes complying with data retention regulations
easy by enabling organizations to create a reliable archival and
compliance system.

From this document:

Sarbanes-Oxley Act
The Sarbanes-Oxley Act requires that:
· Companies implement extensive policies, procedures, and tools to
prevent fraudulent activities

Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (Financial Institution Privacy
Protection Act of 2001), amended in 2003 to enhance the protection of
nonpublic personal information, requires that financial records be
properly secured, safeguarded...

Healthcare Insurance Portability and Accountability Act of 1996
The Healthcare Insurance Portability and Accountability Act of 1996
requires that:
· Security standards be adopted to control who can access health
information to provide audit trails for computerized record systems...
· Health data is isolated and inaccessible to unauthorized access
· Transmission of health information is physically, electronically,
and administratively safeguarded to ensure the confidentiality of data


If email is involved in the business process, then the Exchange mail
server inability* (*please see below) to record who accessed what,
when, with or without success, I don't see how can be valid security
audit established
+ "to prevent fraudulent activities" - Sarbanes-Oxley
+ " the protection of nonpublic personal information, requires
that financial records be properly secured, safeguarded" -
Gramm-Leach-Bliley
+ "control who can access health information to provide audit
trails for computerized record systems" - HIPAA
+ "Transmission of health information is physically,
electronically, and administratively safeguarded to ensure the
confidentiality of data" - HIPAA

Regards,
Nick


*
"Although you can use Mailbox Resources to see when someone logs on to
their mailbox or to another mailbox, Mailbox Resources has some
important limitations that you must know about. Following are these
limitations:
· Mailbox Resources does not show which folder is being logged on
to.
For example, Mailbox Resources does not indicate whether it is the
Inbox, the Calendar, or the Contacts folder.
· Mailbox Resources does not show whether the logon was
successful or
unsuccessful."

.