Question : Problem: Mobile Email and Sarbanes-Oxley (Sarbanes Oxley, SOX) Compliance - Funambol, ActiveSync, Blackberry

I've been searching for answers off an on for days now... hours spent.  I can't find any concrete answers anywhere.

One of my clinets is pushing me to setup mobile email services for their mobile phones.  Installing a Blackberry server would be entirely too easy, as it undoubtedly meets all SOX compliance issues.  However, no one at this company has a Blackberry device.

Here is the run down on what I have gathered.  None of it has been from authoritative sources, so please correct me if I am in error. (Note there are many more SOX requirements than what is listed, I am merly listing the ones I think are relavent to my mobile email issue.

SOX requires controls to be able to protect data if a mobile device is lost or stolen.  My interpritation for mobile phones: the solution must provide a remote wipe functionality of atleast the stored email data.  I have also come across a reference to this requing the data to be encrypted at all times; is this second part accurate?

From my research, any solution that would provide the remote wipe feature also covers all other requirements.  With the possible exception of keeping the data encrypted at all times.

Possible solutions:

RIM's Blackberry Enterprise Server:  Fully SOX compliant but not an option for my client due to start-up costs of new phones for all users.

Microsoft's Exchange ActiveSync:  As of Exchange 2003 SP2 paired with Windows Mobile 5, remote wipe is supported but email data is not encrypted on the device.  Is this solution SOX compliant?

Funambol:  www.funambol.com :  On open source Blackberry Enterprise server competitor, works with just about every cell phone (with varying degrees of compatibility)  I have yet been able to pin down whether Funambol offers the remote wipe functionality, or if it is avaliable with a third party plug-in.  

Due to Funambol's feature set and compatibility with the mobile devices we already have, I am most interested in this solution (With MS Exchange Active Sync a second choice as most phones are running Windows Mobile 5.)  However, I am trying to figure out if it would pass a SOX audit.

Any help you could provide would be greatly appreciated.

Answer : Problem: Mobile Email and Sarbanes-Oxley (Sarbanes Oxley, SOX) Compliance - Funambol, ActiveSync, Blackberry

First, Funambol does support remote wipe: http://www.funambol.com/product/device.html
"Disable, erase and drain phones"

This is also a somewhat useful article on SOX and mobile security/encryption: http://www.s-ox.com/news/detail.cfm?articleID=506

I do not believe that SOX requires smart phones to have whole disk encryption at this time or even e-mail encryption, but I would not doubt it coming up in the future. Commercial version of PGP can be coupled with Rim's Blackberry server for e-mail encryption support. That is what my company has done. Another option is to upgrade those WM5s to WM6s. WM6 supports encryption natively.

Honestly, if you are trying to be as SOX compliant as possible and not toe the line, I would recommend going with a commercial solution, even if that means lock down the users to one type of device or upgrading devices. I haven't used Funambol and don't have a lot of knowledge about it, but open source when you are talking about SOX compliance scares me.
Random Solutions  
 
programming4us programming4us