Email archiving

from Wikipedia, the free encyclopedia

E-mail archiving is a stand-alone term for long-term, immutable, and secure storage of electronic messages . The basis of this archiving are, on the one hand, legal requirements for the complete documentation of tax-relevant documents and, on the other hand, requirements of companies and private individuals for the management of increasingly complex e-mail communication data and processes.

Basics

E-mail communication has overtaken the “classic” communication types telephone , letter , telex and fax in importance or even exceeded them entirely. E-mail data exchange has thus developed into a business-critical communication platform whose smooth functioning has become indispensable for many companies. At the moment, e-mail users, e.g. employees of a company, are still responsible for the content, security and processing of the data. Systematic utilization and archiving by the company is becoming increasingly important. Reasons for this are:

Email archiving to meet legal requirements

This section presents the situation in Germany . Help us to describe the situation in other countries.

The principles for the proper management and storage of books, records and documents in electronic form as well as for data access ( GoBD ) stipulate that all tax-relevant data must be kept presentable in a form that can be evaluated by machines. This also applies to the e-mails and their file attachments. Further requirements result from the tax code ( AO ) and the commercial code ( HGB ).

Archiving as protection against email data loss

E-mails, as business-critical information carriers, must be protected against data loss and illegal spying. Emails are lost due to defective PST files (MS Outlook), careless deletion or system change. Entire mailboxes are often removed when an employee leaves the company without the necessary permission from the user.

Archiving as protection against overloading of e-mail servers

Over the course of a few days and months, email data accumulates on servers and takes up storage space. The larger the permitted attachment, the larger the storage space required. Since many companies define size restrictions for mailboxes , this data must be transferred to an archive and information that is no longer up-to-date in the mailboxes must be deleted.

Tamper-proof

Tamper-proof archiving is required to meet legal requirements. In addition to the possibility of writing to a WORM (erasure-protected data carrier) (although here, too, years of security against manipulation can be questioned), this is achieved through cryptographic processes on the emails to be archived. As an independent authority, the Fraunhofer Institute for Secure Information Technology (SIT) has developed an “ArchiSoft” module for this purpose, which takes over this process and also ensures that all e-mails already in the e-mail archive if this cryptographic process is compromised be re-signed with the newer, more secure cryptographic process. In conjunction with the use of accredited time stamping services, this should ensure permanent security against manipulation.

Differentiation between server-controlled and client-controlled archiving

With regard to the archiving strategy, two basic approaches must be distinguished. One variant is archiving on the server side. If you follow this approach, all e-mails are generally transferred to the archive system as soon as they are received on the e-mail server. The same applies to outgoing emails. This method is often referred to as journaling. This ensures that all messages are transferred to the archive system without manipulation. The archive system itself must have security devices in order to counteract later manipulations. However, this method requires a large amount of memory. This is why spam filters should be used to sort out unwanted messages and exclude them from archiving. It is important to ensure that important emails are not accidentally classified as spam messages. That would mean that the e-mail inventory declared as spam would have to be searched regularly for any relevant e-mails before it is permanently deleted. At the same time, it must be ensured that no mails are archived for which this is not permitted for legal reasons (e.g. private mails); This means that such mails must be marked or it must be possible to exclude them (e.g. due to a ban on private mails).

Furthermore, rule-based concepts can be used for server-side archiving, which analyze and archive e-mails according to the defined rules. Various and individual scenarios can be implemented using such rules. Usually, when archiving on the server side, the emails are removed from the productive email system. The user no longer accesses the archive via the e-mail system, but rather directly to the archive, usually via a reference. The research is also carried out directly via the archive. This reduces the load on the e-mail server.

The second variant is client-side archiving. Here the user controls which emails are archived and which are not. He mostly uses properties that he assigns to the e-mails, or he moves them to certain folders intended for archiving. The client-side archiving offers the user a high degree of flexibility, but there is a risk of inadvertently not archiving important e-mails. Which archiving strategy companies choose depends on their individual preference. If adherence to compliance requirements and the associated legally compliant archiving are assigned a high value, journaling archiving, i.e. the server-side variant, is recommended.

Criticism of isolated email archiving

The isolated archiving of e-mails also poses a risk for companies, as e-mails have to be brought into a factual context with other electronic documents. Information must be archived according to its content, use and legal character and not depending on the form. The e-mail management approach, which transfers e-mails to electronic archiving systems that also manage other electronic documents, scanned facsimiles and data sets under a common index , is therefore gaining acceptance . In this way, e-mails can be visualized as part of electronic files, taking into account the completeness and context of all related information.

E-mail archiving options

ASP solutions ( Application Service Provider ) for e-mail archiving

ASP providers provide their services by offering e-mail data management functions with or without spam filtering over the Internet. As a rule, no client-side application programs are required for this.

Stand-alone solutions on the client or server side

These are applications that are implemented on the client or server side. E-mails can be saved and managed by the user himself or organized by the system administrator.
Appliances
A separate storage solution archives all e-mails (incoming / outgoing) without any action or influence on the part of the user. Using a search function, users can find the emails again and restore them if necessary. Archiving rules can also be stored in an appliance.

Document management solutions and CRM systems

These solutions usually come from vendors existing document management systems, for example in the areas of CAD and customer relationship management ( customer relationship management (CRM)) ; CRM applications traditionally store the communication history between companies and customers.

Contradiction between requirements of the GDPdU and the postal secrecy

In the administrative instruction of the Federal Ministry of Finance ( GDPdU ) it is defined that a "tax-relevant document" - z. B. an invoice that has been received by a taxpayer in electronic form - must be documented and secured just like a normal, postal invoice. If an invoice is sent or received as an attachment to an email, this means:

  • The recipient / sender must save each of these electronic documents - and an e-mail is also to be understood as such - in a retrievable manner.
  • The recipient / sender must check the integrity of the data and document the result.
  • The recipient / sender must save the invoice on a carrier medium that no longer allows changes.
  • The recipient / sender must record the receipt of the tax-relevant data and their further processing and archiving.
  • The recipient / sender must ensure that the transmission, archiving and conversion systems comply with the GoBS (principles of proper IT-based accounting systems).

In the event of a company audit, direct read access, access via evaluations and data storage media must be provided in various formats.

The question of which document is tax-relevant or not is decided by the tax office in case of doubt, and it is possible that all e-mails can be classified as tax-relevant documents. As a consequence, this means that the company is obliged to automatically save all incoming and outgoing emails. Private e-mails sent or received by employees would then also be stored in an archiving system and accessible to an auditor. Interventions by employees, e.g. B. deletions or changes in this system would have to be prevented.

The problem: Automatic storage and access to private e-mails from employees could violate postal secrecy , which was anchored as a fundamental right in Article 10 of the Basic Law. By definition, e-mails belong to the “letter” category and are subject to this basic right. Therefore, an automated e-mail security measure in a company can only be permitted by a contractual agreement with the employees or with the consent of a works council authorized to represent. Another option is to enforce a general ban on private e-mail communication on the part of management.

literature

  • IT management. "German companies manage their emails only half-heartedly" . In: Computerwoche , February 19, 2008
  • Arno Burger: Pocket Business: Curbing the flood of emails: Organizing company information efficiently . Cornelsen Verlag
  • M. Gantner et al .: E-Mail Management. Systems for administration, archiving and response management . Oxygon, Munich 2008, ISBN 978-3-937818-29-0 , 495 pages.
  • Market overview of e-mail archiving systems: manufacturers and products . VOI Association Organizational u. Information systems e. V., 2009, ISBN 978-3-932898-19-8

Web links

Individual evidence

  1. ^ Archisoft from SIT
  2. ^ M. Gantner et al .: E-Mail Management. Systems for administration, archiving and response management . Oxygon, Munich 2008, ISBN 978-3-937818-29-0 , 495 pages.
  3. ↑ Market survey of e-mail archiving solutions for the German-speaking area SofTrust study June 2006, page 11 ff