Security Manager's Journal: Writing a data retention policy isn't as simple as it sounds
Establishing a policy on how long data must be retained seems easy enough. It isn't. For starters, not all data is the same.
At Issue: It's time for the company to set a new policy on data retention.
Action Plan: Normally, our manager would want to write it. But this time, it's better to let the lawyers take charge.
I got lunch in the company cafeteria last week, and we may end up saving over $40,000 a month as a result.
That's because I bumped into our head legal counsel while waiting in line. "When," I asked, "are we going to drop the requirement to retain all data?"
For several years, we have been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. This ban arose from a stock-options grant investigation, now long concluded. Being barred from overwriting backup tapes comes at a cost; we're spending about $40,000 a month just for new tapes. More costs arise because we are prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.
Couldn't we relax the retention policy and get back to a normal state of affairs? I asked him. Yes, we could, he said, but not until we create a comprehensive data-retention policy. You could help, he said.
Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. Sounds simple, right? The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.
This week, I went to a meeting called by the head attorney. He started off by explaining that he had hired external legal counsel to help define the new policy. At first I felt somewhat offended, since I had expected to be responsible for developing the policy. By the end of the meeting, though, I felt more than happy to simply assist while leaving all the heavy lifting to the third party.
You see, a comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, we need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data -- e-mail, chat logs, Unix system logs, and firewall and VPN logs, for example -- and inactive data such as documentation related to sales, service, legal and finance.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!