Is Email Signature Required? 1736



  • Hello,
    I was wondering if email signature is required as per SOX. Following the guidelines to retain emails for 3 years, It might be relevant that employees’ emails be tailed with their electronic signature, as there have been cases when auditors failed to identify what designation were email senders hold.
    Can someone assist on this matter and provide any relevant links.
    Thanks,
    8O



  • Hi - I would say yes, as the signature provides timestamp and other authenticity attributes. Below are a few links in further research of this. Most of links found relate to the need to backup email on Exchange, Lotus Notes, or other server environments in a complete form. The retention and especially the ability to retrieve email history are challenging.
    Please add www and paste into browser
    General Google Search - some links promote products
    google.com/search?hl=en-and-lr=-and-q=sox email requirements
    Great article on SOX email requirements
    s-ox.com/Feature/detail.cfm?articleID=1259
    What every company should know about EMAIL
    s-ox.com/feature/detail.cfm?articleID=580
    SOX ‘socks it’ EMAIL
    informit.com/articles/article.asp?p=431108-and-seqNum=4-and-rl=1
    SOX email retention is legal Cherynobl
    silicon.com/research/specialreports/compliance/0,3800003180,39130615,00.htm
    SOX email requirements more than meets the eyt
    itbusinessedge.com/item/?ci=11827
    A few quotes related to the technological challenge of email retention, which most likely needs more attention than it’s getting in many organizations
    Enterprises have to comply with multiple laws and regulations: Sarbanes-Oxley for public companies, HIPAA for organizations handling healthcare information, SEC and NASD regulations for securities dealers, and many others. All of them have different requirements, and in some cases those requirements clearly weren’t written with the realities of computer systems administration in mind.
    Today, the vast majority of organizations use email to communicate internally and as a vehicle for the exchange of documents and correspondence between businesses and their outside consultants, accounting firms and audit firms. Since these communications often contain information about business transactions and business decisions, these email communications must be retained in order for an organization to comply with the provisions of Sarbanes-Oxley . Basically, any publicly-traded company must follow Sarbanes-Oxley regulations. In addition, private firms that may one day be merged with or acquired by a public company will fall under these regulations as well. It is recommended that all such entities implement a data retention strategy.



  • I was wondering if email signature is required as per SOX.
    It is not ‘required’, it is ‘nice to have’ but not ‘must have’. SOX does not mandate a PKI in place. I absolutely like to use private keys and to have evidence about everything, but you can comply without private keys.
    The preservation of digital evidence is becoming more difficult, especially as we move from hard drives to high-speed networks, virtual chat rooms, and wireless environments. Preserving digital evidence has always been a challenge since it is so easily manipulated, forged or accidentally changed (and, believe me, it is VERY difficult to PROVE things like the sequence of events, when certain evidence was created, read and discovered, or to bind the digital evidence to a specific time - this is the ultimate challenge).



  • Thanks. This forum seems to be a great source for me to learn about SOX.



  • PKI is more relevant for non repudiation and litigation. It is not required for SOX.



  • Are we going to use Digital Pens for creating these signatures. 😄
    I guess your organization has a mail server and each individual has a corporate E-mail id. If yes, why does the issue of e-mail signature come up at all.
    The very assumption of any ‘UNIQUE’ corporate e-mail id is that it is accessible only by the Mail account holder. If the mail account login credentials are sacrificed, so can the Digital Signatures be.
    Corporate e-mail accounts, by themselves, provide enough non-repudiation. It is highly remote that someone can spoof your corporate e-mail account, unless the account holder is careless…
    cheers and keep signing :lol:



  • lol_at_NC 😉 🙂 … The whole topic of email retention needs to be thoroughly researched by each company as they adhere to SOX requirements.
    There’s a number of issues that might need to be addressed including:

    1. What if email server versions change (and some products like Exchange or Notes have an annual version release)? Do you migrate history to the latest server formats over this 7 year time horizon?
    2. Encryption/Decryption - if SEC were to ask for a recall of email messages that use encryption techniques
    3. Security - as email unfortunately often contains highly confidential info or documents related to the company
    4. Protection of any personal or confidential info for the employee in an email account (even though employees are supposed to use it for business purposes)
    5. Capacity planning and how to back this up on and off site (plus maybe some readability testing on backups)


  • The very assumption of any ‘UNIQUE’ corporate e-mail id is that it is accessible only by the Mail account holder.
    Corporate e-mail accounts, by themselves, provide enough non-repudiation. It is highly remote that someone can spoof your corporate e-mail account, unless the account holder is careless…
    cheers and keep signing :lol:
    Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin



  • Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin[/quote]
    How many E-mail ID s would qualify as key from a SOX perspective.
    How many PK pairs is the organization going to provide( again depending on the number of IDs that qualify).
    Wont organizations be looking at costs…
    having PKI for just a bunch of ID Holders would certainly not help the organization.
    Quote again: Even the Key Pairs can be compromised by the holder.
    Where do we draw the line then

    Any organization needs to place place REASONABLE RELIANCE on Some mechanism or other. Needless to mention that COST IS THE FACTOR.
    Cheers…( please keep signing)



  • Technically speaking, its easy for anyone to forge your email id for sending emails. Just having a unique corporate mail ID doesnt provide non repudiation.
    Calvin
    How many E-mail ID s would qualify as key from a SOX perspective.
    [/quote]
    I am sorry for the confusion. I didn’t mean to comment on whether E-mail signatures are a SOX compliance requirement. I was elaborating on your point that unique corporate IDs provide non repudiation.



  • woah calvin
    no offence meant there. I was just trying to substantiate that no mechanism is foolproof.
    Organizations need to draw a line somewhere and have comfort with some mechanism or other.
    As far as digital signatures for mails are concerned, manangement would have to consider Costs( pretty sure they shall be huge) and controls surrounding their Mail client.
    Please do not be sorry, such forums bring out all the good points that are worth discussing.
    thanks and cheers



  • The issue here is ‘due diligence’
    Consider the other controls around this issue, are they strong enough?


Log in to reply