Security Manager's Journal: Writing a data retention policy isn't as simple as it sounds
Establishing a policy on how long data must be retained seems easy enough. It isn't. For starters, not all data is the same.
At Issue: It's time for the company to set a new policy on data retention.
Action Plan: Normally, our manager would want to write it. But this time, it's better to let the lawyers take charge.
I got lunch in the company cafeteria last week, and we may end up saving over $40,000 a month as a result.
That's because I bumped into our head legal counsel while waiting in line. "When," I asked, "are we going to drop the requirement to retain all data?"
For several years, we have been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. This ban arose from a stock-options grant investigation, now long concluded. Being barred from overwriting backup tapes comes at a cost; we're spending about $40,000 a month just for new tapes. More costs arise because we are prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.
Couldn't we relax the retention policy and get back to a normal state of affairs? I asked him. Yes, we could, he said, but not until we create a comprehensive data-retention policy. You could help, he said.
Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. Sounds simple, right? The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.
This week, I went to a meeting called by the head attorney. He started off by explaining that he had hired external legal counsel to help define the new policy. At first I felt somewhat offended, since I had expected to be responsible for developing the policy. By the end of the meeting, though, I felt more than happy to simply assist while leaving all the heavy lifting to the third party.
You see, a comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, we need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data -- e-mail, chat logs, Unix system logs, and firewall and VPN logs, for example -- and inactive data such as documentation related to sales, service, legal and finance.
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!