1. Demystifying Regulatory Compliance with GroupWise Greg M. Smith, Director of Technical Services, Messaging Architects greg.smith@gwtools.com Gregg Hinchman www.HinchmanConsulting.com

2. © February 9, 2004 Novell Inc. 2 Messaging Architects – Quick Intro…  For over 8 years, a leading developer of innovative applications products that help Enhance, Secure, and Accelerate GroupWise ®.  World class development and engineering resources dedicated to Messaging & Collaboration.  A Trusted Advisor that can assist with planning, deploying, managing and supporting mission-critical Email systems & applications.

3. © February 9, 2004 Novell Inc. 3 Agenda  Overview  Data Retention Necessities  GroupWise Archive Architecture  Deploying GroupWise Archives  Solutions from the Trenches

4. © February 9, 2004 Novell Inc. 4 Some Sobering Facts… Storage The average user will attempt to retain/store 500 MB of messages this year Volume IDC projects 33 billion MPD in 2005, up from the current 23 billion Cost The White House spent $10M to recover 246K messages from 4,900 backup tapes

5. © February 9, 2004 Novell Inc. 5 Some Sobering Facts... Knowledge IDC reports that 60% of business critical information is stored in email systems. Access 80% of archived data is not accessible in a timely or cost effective manner, impacting the organization's performance & productivity. Backups Restoration from tape is not always a certainty, information is often lost or requires substantial effort to recover.

6. © February 9, 2004 Novell Inc. 6 Driving Factors Storage Management Concerns Regulatory Compliance Legal Litigation Why to Manage Data

7. © February 9, 2004 Novell Inc. 7 Typical Solutions

8. © February 9, 2004 Novell Inc. 8 Typical Solutions May contravene existing health & employment legislation Delete Everything Retain Everything Ensures compliance to unknown requirements Increases storage and unnecessary liability Don’t Know Why some of you are here

9. © February 9, 2004 Novell Inc. 9 Existing Legislation Driving Factors HR & Employment Records  Employment Act  National Labour Relations Act  Fair Labour Standards Act  Americans with Disabilities Act  Civil Rights Act of 1964 Organizations must maintain strict process separation or retain electronic documents Health & Safety  Occupational Health & Safety Act  Toxic Substances Control Act

10. © February 9, 2004 Novell Inc. 10 Mandatory Compliancy Who is affected? Broker/Dealer (Brokerage) Transfer Agent Investment Company (Mutual Funds) Investment Manager/Advisor 17 CFR 240, 17a-3, 17a-4 17 CFR 240, 17Ad-7f 17 CFR 270 17 CFR 275 Financial Sector

11. © February 9, 2004 Novell Inc. 11 Financial Compliancy SEC 17a-3, 17a-4, NASD 3010 3 Year Records Retention of all Correspondence Storage of records on serialized non-erasable media Records must be duplicated Records & Indexes must be downloadable and available to the SEC at all times Provide message sampling and auditing

12. © February 9, 2004 Novell Inc. 12 Mandatory Compliancy Sarbanes - Oxley Created in the wake of major Scandals such as Enron Relates to Financial Statements Validation of processes and statements Makes C-Level executives liable Defines Penalties

13. © February 9, 2004 Novell Inc. 13 Sarbanes-Oxley Who is affected? Firms Issuing Securities traded on US Security Markets Firms reporting Public Financial Statements Privately Held firms looking to go Public

14. © February 9, 2004 Novell Inc. 14 Sarbanes-Oxley What needs to be Kept? Email retention is not specifically defined by SO Audit controls, papers & reports are to be saved for 7 yrs Email retention in support of regulated financial and accounting practices and reporting

15. © February 9, 2004 Novell Inc. 15 Mandatory Compliancy HIPAA (Health Insurance Portability an Accountability Act) Health Insurance Portability and Accountability Act Applies to Healthcare Organizations  Healthcare Providers/Health Insurance/Claims Processing Primarily Addresses Privacy and Security of PHI Managing or Auditing of emails containing PHI

16. © February 9, 2004 Novell Inc. 16 Mandatory Compliancy Pharmaceutical Industry Governed primarily by FDA Code of Federal Regulations Title 21 CFR Part 11  Addresses handling of predicate documents in electronic format  Targets organizations wishing to convert to electronic processes  Covers controls, access, security and accountability FDA Currently revising its Compliance Guidelines

17. © February 9, 2004 Novell Inc. 17 Mandatory Compliancy DoD 5015.2 Covers all Agencies of the Department of Defence Based on Government Document Retention from NARA Comprehensive and Complex process for Electronic Docs  Classification / Storage / Retention / Destructon Solutions require DoD 5015.2 Certification Process

18. © February 9, 2004 Novell Inc. 18 Local Government Legislation New Legislation  Florida – Statute 119 Florida Sunshine Law Existing Legislation  Public Record Laws  State Archival Laws Public Access to Information is number one driving requirement

19. © February 9, 2004 Novell Inc. 19 Personal Archiving  Is e-mail stored on the local workstation  GroupWise Archives? GroupWise Remote/Caching  Is e-mail deleted corporately but retained by user?  Is this local e-mail backed up?  What would be the costs to recover? Local Storage Corporate Destruction Policy with Local User Exceptions does not limit Legal Liability

20. © February 9, 2004 Novell Inc. 20 Employing Retention Solutions

21. © February 9, 2004 Novell Inc. 21 Where to Start? Statutory, Regulatory or Compliancy Requirements? Penalties for non-compliance Developing Retention Policies Trusted Empowerment Big Brother Enforcement Developing Solutions to Meet Retention Policies Managing Solutions (Retention & Destruction)

22. © February 9, 2004 Novell Inc. 22 GroupWise as a Compliancy Platform Retaining Information within GroupWise –Smart Purge Feature for 100% retention –Store Information on System or Tape –Disabling Personal Archiving –Reduce & Expire Routines for Data destruction Maintaining Individual Account Repositories –Administrative or Individual Searching –Creating global proxies Creating Single Account Repositories –Forwarding all messages to common accounts

23. © February 9, 2004 Novell Inc. 23 GroupWise as a Compliancy Platform Retaining Information within GroupWise –Databases – No individual message storage –Large volume of messages impacts system –Information is stored in proprietary format Maintaining Individual Account Repositories –No default administrative access to accounts –Proxies are end user controlled Creating Single Account Repositories –Single account message limitations

24. © February 9, 2004 Novell Inc. 24 GroupWise as a Discovery Platform Accounts searched Individually or via Proxy Searching consumes network resources Advanced Boolean & Wordlists are complex Cannot Search the contents of attachments Reliability of Indexes or QF Enabled Message Presentation Save individual emails to text file Forward emails to another account Print out all emails Substantial Costs to extract and retrieve information from GroupWise

25. © February 9, 2004 Novell Inc. 25 Third Party Solutions Independent Message Storage Formats Provides Global Accessibility Timely Enquiry Response Compliance with Regulations Loss of original message status Management of additional systems Additional Storage Requirements Solutions inevitably cheaper than fines or maintaining compliancy through GroupWise

26. GWArchive Solutions from the Field

27. © February 9, 2004 Novell Inc. 27 The Talent Gregg A. Hinchman Collaboration Practice Manager, Tenacious Integration Services 10+ years of GroupWise Experience Co-Author: – “Success with Clustering GroupWise” – www.TayKratzer.com – “Success with GroupWise Document Management” – GroupWise Advisor Magazine Articles

28. © February 9, 2004 Novell Inc. 28 The Issue The FUND Company Manages Mutual Funds SEC Regulates Document absolutely every transaction Must save all email Must be able to produce email quickly

29. © February 9, 2004 Novell Inc. 29 The Solution GWArchive Archive email older than 180 days Users cannot delete until email is Archived Archives are stored centrally on a SAN Publish all email to XML format

30. © February 9, 2004 Novell Inc. 30 In Conclusion  Email Retention is clearly a major concern at all levels of industry and government  GroupWise & GroupWise archives provide a viable method of retaining corporate messages and complying with organizational policies, but with clear limitations  Application-independence and format-neutrality (i.e. XML + plain text) are critical attributes for any data destined to reside in long term storage (5+ years).  Third party tools allow organizations to properly deploy and manage both retention/deletion policies and the resulting data sets that are generated as a result of these policies.

32. © February 9, 2004 Novell Inc. 32 General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.