I'm not sure what the OP was alluding to but based on: (1) I ran a department that was audited for compliance [minor, startup, audit for investors] and (2) my wife works for a big4 that does audit companies for compliance in the Financial sector that file w/ SEC.
When a company is audited, not only are their financials audited but also their IT department. The IT department has to be able to present plans on how it is able to audit user actions, retroactively retrieve information from prior dates to detect fraud, and manage their infrastructure in a complaint manor.
Since the big4 are not IT firms, they can only provide "guidance" on the state of the company and if the IT department is actually able to accomplish said goals. Some companies are held to a higher standard and have specific items that they have to accomplish (i.e. how they manage their encryption keys in order to secure their communication). From my understanding, there was actually a lawsuit that Deloitte and PwC lost because they could not determine that fraud has occurred [0]. In the article I've included, it does not say anything about IT but based on my conversations with my wife, this has something to do with some Execs changing their records to hide fraud. Since the financial audit didn't pick anything up (the transactions weren't recorded), their IT compliance team should have been able to tell that there were lack standards in data integrity, management, and access.
This might not be the full picture and I might have not remembered the full conversation correctly. However, I believe this is why Slack having the EKM management might appeal to larger firms who might have to file under compliance of one law or another. Hopefully someone can chime in with a better explanation.
In a past life, I worked as part of a legal regulatory IT function.
What it boiled down to is you have to be able to track every communication you can, and depending on the jurisdiction, you had to keep it around for 7-25 years.
Not only did you have to keep it around, you had to provably keep it in such a way that it couldn’t be “sabatoged”, generally this meant you had to store it on “WORM” (Write Once, Read Many) storage.
The basic rationale is because of the $$ involved, you wanted to make sure no one was a) insider trading, b) defrauding investors, c) defrauding the bank.
Banks are pretty good at these types of controls.
Example controls they do:
1. You can’t trade outside of their monitored platform
2. You are mandated to take a vacation of at least 2 weeks every year (once you reach a certain level), the idea being that any “off books stuff” you may be doing would get exposed.
3. They regularly “flag” specific keywords, and not just the obvious ones, to identify bad actors. I won’t go into details, but it is much more robust than you think.
> You are mandated to take a vacation of at least 2 weeks every year (once you reach a certain level), the idea being that any “off books stuff” you may be doing would get exposed.
I too have worked for a bank and also had to take the mandatory 2 weeks off (contiguous) despite not having access to financial transactions. That took some getting used to. I missed being able to take off several Monday's in a row.
We certainly had to back everything up to write-once medium and store encrypted copies in Iron Mountain. Outside of financial institutions, I get dirty looks when I suggest backing up data this way. It also protects against bad automation.
Mostly just a very simple point: If you're an employee at a company, you have practically no right or expectation of privacy (applicable to this conversation).
There are a few people in these comments saying things like "but the employer can still read your messages" or "companies should adopt matrix because it can do true E2E encryption of DMs between just the people in the room." That'll never happen in a typical corporate setting.
I would suspect it is something along the lines that don't expect any privacy at work unless you are in the restroom typing on your phone and not using the company's WiFi.
If a banker is accused of inside trading then chat records need to be pulled without tipping them off. Similarly for an employee accused of sexual harassment.
When a company is audited, not only are their financials audited but also their IT department. The IT department has to be able to present plans on how it is able to audit user actions, retroactively retrieve information from prior dates to detect fraud, and manage their infrastructure in a complaint manor.
Since the big4 are not IT firms, they can only provide "guidance" on the state of the company and if the IT department is actually able to accomplish said goals. Some companies are held to a higher standard and have specific items that they have to accomplish (i.e. how they manage their encryption keys in order to secure their communication). From my understanding, there was actually a lawsuit that Deloitte and PwC lost because they could not determine that fraud has occurred [0]. In the article I've included, it does not say anything about IT but based on my conversations with my wife, this has something to do with some Execs changing their records to hide fraud. Since the financial audit didn't pick anything up (the transactions weren't recorded), their IT compliance team should have been able to tell that there were lack standards in data integrity, management, and access.
This might not be the full picture and I might have not remembered the full conversation correctly. However, I believe this is why Slack having the EKM management might appeal to larger firms who might have to file under compliance of one law or another. Hopefully someone can chime in with a better explanation.
[0]: https://www.marketwatch.com/story/pwc-faces-largest-ever-aud...