Is Email Signature Required? 1736



  • I was wondering if email signature is required as per SOX.
    It is not ‘required’, it is ‘nice to have’ but not ‘must have’. SOX does not mandate a PKI in place. I absolutely like to use private keys and to have evidence about everything, but you can comply without private keys.
    The preservation of digital evidence is becoming more difficult, especially as we move from hard drives to high-speed networks, virtual chat rooms, and wireless environments. Preserving digital evidence has always been a challenge since it is so easily manipulated, forged or accidentally changed (and, believe me, it is VERY difficult to PROVE things like the sequence of events, when certain evidence was created, read and discovered, or to bind the digital evidence to a specific time - this is the ultimate challenge).



  • Thanks. This forum seems to be a great source for me to learn about SOX.



  • PKI is more relevant for non repudiation and litigation. It is not required for SOX.



  • Are we going to use Digital Pens for creating these signatures. 😄
    I guess your organization has a mail server and each individual has a corporate E-mail id. If yes, why does the issue of e-mail signature come up at all.
    The very assumption of any ‘UNIQUE’ corporate e-mail id is that it is accessible only by the Mail account holder. If the mail account login credentials are sacrificed, so can the Digital Signatures be.
    Corporate e-mail accounts, by themselves, provide enough non-repudiation. It is highly remote that someone can spoof your corporate e-mail account, unless the account holder is careless…
    cheers and keep signing :lol:



  • lol_at_NC 😉 🙂 … The whole topic of email retention needs to be thoroughly researched by each company as they adhere to SOX requirements.
    There’s a number of issues that might need to be addressed including:

    1. What if email server versions change (and some products like Exchange or Notes have an annual version release)? Do you migrate history to the latest server formats over this 7 year time horizon?
    2. Encryption/Decryption - if SEC were to ask for a recall of email messages that use encryption techniques
    3. Security - as email unfortunately often contains highly confidential info or documents related to the company
    4. Protection of any personal or confidential info for the employee in an email account (even though employees are supposed to use it for business purposes)
    5. Capacity planning and how to back this up on and off site (plus maybe some readability testing on backups)


  • The very assumption of any ‘UNIQUE’ corporate e-mail id is that it is accessible only by the Mail account holder.
    Corporate e-mail accounts, by themselves, provide enough non-repudiation. It is highly remote that someone can spoof your corporate e-mail account, unless the account holder is careless…
    cheers and keep signing :lol:
    Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin



  • Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin[/quote]
    How many E-mail ID s would qualify as key from a SOX perspective.
    How many PK pairs is the organization going to provide( again depending on the number of IDs that qualify).
    Wont organizations be looking at costs…
    having PKI for just a bunch of ID Holders would certainly not help the organization.
    Quote again: Even the Key Pairs can be compromised by the holder.
    Where do we draw the line then

    Any organization needs to place place REASONABLE RELIANCE on Some mechanism or other. Needless to mention that COST IS THE FACTOR.
    Cheers…( please keep signing)



  • Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin
    How many E-mail ID s would qualify as key from a SOX perspective.
    [/quote]
    I am sorry for the confusion. I didn’t mean to comment on whether E-mail signatures are a SOX compliance requirement. I was elaborating on your point that unique corporate IDs provide non repudiation.



  • woah calvin
    no offence meant there. I was just trying to substantiate that no mechanism is foolproof.
    Organizations need to draw a line somewhere and have comfort with some mechanism or other.
    As far as digital signatures for mails are concerned, manangement would have to consider Costs( pretty sure they shall be huge) and controls surrounding their Mail client.
    Please do not be sorry, such forums bring out all the good points that are worth discussing.
    thanks and cheers



  • The issue here is ‘due diligence’
    Consider the other controls around this issue, are they strong enough?



  • I recommend you to use Sigsync Office 365 email signature. Its a web based, company-wide, centrally managed email Signature application. It is very intitule to use and configure your Office 365 email signature for your entire organization in few minutes.
    https://www.sigsync.com/


Log in to reply