Sarbayne Oxley (SOX) and HIPAA: Sample Security Policies

(R) = Required
(A) = Addressable

S-OX Compliance Matrix

Standard: TECHNICAL SAFEGUARDS	Sections	Description	R/A?	Solution
Corporate Responsibility for Financial Reports	Section 302	This section requires that CFOs and CEOs personally certify and be accountable for their firms’ financial records and accounting. This section has been highlighted due to its link to top management.	R	email2 offers a level of security suitable for the viewing of sensitive documents over e-mail. The tracking and audit system can verify that individuals have received and opened messages. Additionally, email2 can be integrated with existing digital signature architecture (e-signatures), allowing CEOs and CFOs to digitally ‘sign off’ on documents securely, safely and easily.
Auditing, Quality Control and Independence Standards and Rules	Section 103	This section requires companies to “prepare and maintain for a period of not less then 7 years, audit work papers and other information related to any audit report, in sufficient detail to support the conclusions reached in such report.”	R	email2 records complete, unaltered accounts of e-mail transactions and store them for an indefinite period of time. Implementation of the email2 patented Interchangeable Crypto Engine ensures that stored documents remain exactly as they were when they were first received.
Investigations and Disciplinary Proceedings	Section 105	Requires “the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any person thereof, wherever domiciled, that the Board considers relevant or material to the investigation, and may inspect the books and records of such firm or associated person to verify the accuracy of any documents or information supplied.”	A	email2 can keep audit and tracking records private from unauthorized users. Authorized users are able to retrieve complete tracking and audit records, which can be guaranteed accurate by the Private Email Network (PEN) providing them. The information is always stored encrypted, in the same state it was originally received in, with low possibility of alteration or destruction.
Management Assessment of Internal Controls	Section 404	Requires companies to report on the effectiveness of internal controls regarding financial reporting. Since internal business decisions and data are discussed, transported and stored in corporate email systems, ensuring that data cannot be accessed or tampered with is critical to the reliability of financial reporting.	A	email2 messages and attachments are stored on a single, secure server (PEN). All data received by the server is immediately frozen using email2\s patented Interchangeable Crypto Engine, and stored indefinitely, at the client’s option. When secure messages are retrieved, the PEN server continues to hold the original frozen copy of the message and attachments. Only authorized users are able to retrieve messages or attachments. Identity validation is performed by a combination of Message Access Keys (which determine who can access a message and contain instructions for doing so) and User Keys, (which identify specific users).
Real-time Issuer Disclosures	Section 409	Regarded as the most demanding of the requirements, Section 409 requires that companies provide real-time disclosures of any events that may affect a firm’s stock price or financial performance within a 48-hour period.	R	email2 allows for electronic disclosure of sensitive information. email2 systems ensure that information can only be accessed on a server by authorized parties. Reliance on 128-bit SSL encryption (HTTPS) for transport ensures that information cannot be captured or altered while it is in transit.
Criminal Penalties for Altering Documents	Section 802	As a result of the document destruction by various businesses and their accounting firms, most notably Enron and Arthur Anderson, Section 802 provides stiff penalties – fines of up to 1,000,000 and/or prison terms for “whoever knowingly alters, destroys, mutilates any record or document with intent to impede an investigation.”	A	email2′s patented Interchangeable Crypto Engine prevents intentional or accidental destruction of documents. Once a secure message or attachment reaches the PEN, it is immediately preserved for an indefinite period of time. Data that has been "frozen" in this way cannot be altered or destroyed by anyone, regardless of security permissions.

HIPAA Compliance Matrix

Standard: TECHNICAL SAFEGUARDS	Sections	Description	R/A?	Solution
Access Control	164.312(a)(1)	Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308 (a)(4)	R	Secure messages and attachments are stored on a single, secure PEN server. All data received by the PEN server is immediately frozen using email2′s patented Interchangeable Crypto Engine, and stored indefinitely, at the client’s option. When secure messages are retrieved, the PEN server continues to hold the original frozen copy of the message and attachments. Only authorized users are able to retrieve secure messages or attachments. Identity validation is performed by a combination of Message Access Keys (which determine who can access a message and contain instructions for doing so) and User Keys, (which identify specific users).
Access Control	164.312(a)(2)(i)	Assign a unique name and/or number for identifying and tracking user identity	R	The PEN identifies users by e-mail addresses, employee ID, phone number, or any other unique identifier your organization uses.
Access Control	164.312(a)(2)(ii)	Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency	R	email2 allows authorized parties (such as officials or administrators) to access the protected information that is stored on the PEN server. This information can only be viewed and copied, never destroyed or altered.
Access Control	164.312(a)(2)(iii)	Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity	A	email2′s Secure Webmail automatically logs out any users that have remained inactive for a period of time, or once a screensaver is activated.
Access Control	164.312(a)(2)(iv)	Implement a mechanism to encrypt and decrypt electronic protected health information.	A	The email2 Interchangeable Crypto Engine ‘freezes’ all information as soon as it hits the PEN server. While this means that the information cannot be changed or destroyed, it also means that it is encrypted using a specific encryption algorithm. Data on the PEN server is always stored in this encrypted state.
Audit Controls	164.312(b)	Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.	R	Because of the email2 single-server PEN architecture, accurate tracking information can be displayed in real-time. The email2 PEN can reliably determine access time and actions taken by the user.
Integrity	164.312(c)(1)	Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.	R	email2′s patented Interchangeable Crypto Engine freezes data as soon as it arrives to the PEN server. Frozen data can never be altered or destroyed.
Integrity	164.312(c)(2)	Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.	A	All copies of documents can be checked against the original frozen copies that are stored on the PEN server. Any discrepancies or omissions will alert parties to attempts to destroy or alter information.
Person or Entity Authentication	164.312(e)(1)	Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.	A	email2 forces all communications to occur over 128-bit encryption SSL pipelines (HTTPS). Sensitive information is never transmitted over basic e-mail channels.
Access Control	164.312(e)(2)(i)	Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of	A	All copies of documents can be checked against the original frozen copies that are stored on the PEN server. Any discrepancies or omissions will alert parties to attempts to destroy or alter information.
Access Control	164.312(e)(2)(ii)	Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.	A	email2′s patented Interchangeable Crypto Engine ‘freezes’ all information as soon as it hits the PEN server. While this means that the information cannot be changed or destroyed, it also means that it is encrypted using a specific encryption algorithm. Data on the PEN server is always stored in this encrypted state.
Device and Media Controls	164.310(d)	Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.	R	Authorized parties are able to instantly retrieve copies of data from the server. These copies are exact, one-to-one reproductions of the original information, and can be checked against the original documents to ensure validity and integrity.
Data Protection		Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.	R	Information that is stored on a PEN server cannot be destroyed until authorized by someone with appropriate permissions. Users and even technical staff do not have the ability to destroy or modify information that has been frozen by the email2 PEN.