Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Security Manager's Journal: Writing a data retention policy isn't as simple as it sounds

Establishing a policy on how long data must be retained seems easy enough. It isn't. For starters, not all data is the same.

July 27, 2009 12:01 AM ET

Computerworld -

Trouble Ticket

At Issue: It's time for the company to set a new policy on data retention.

Action Plan: Normally, our manager would want to write it. But this time, it's better to let the lawyers take charge.

I got lunch in the company cafeteria last week, and we may end up saving over $40,000 a month as a result.

That's because I bumped into our head legal counsel while waiting in line. "When," I asked, "are we going to drop the requirement to retain all data?"

For several years, we have been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. This ban arose from a stock-options grant investigation, now long concluded. Being barred from overwriting backup tapes comes at a cost; we're spending about $40,000 a month just for new tapes. More costs arise because we are prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.

Couldn't we relax the retention policy and get back to a normal state of affairs? I asked him. Yes, we could, he said, but not until we create a comprehensive data-retention policy. You could help, he said.

Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. Sounds simple, right? The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.

This week, I went to a meeting called by the head attorney. He started off by explaining that he had hired external legal counsel to help define the new policy. At first I felt somewhat offended, since I had expected to be responsible for developing the policy. By the end of the meeting, though, I felt more than happy to simply assist while leaving all the heavy lifting to the third party.

Data Everywhere

You see, a comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, we need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data -- e-mail, chat logs, Unix system logs, and firewall and VPN logs, for example -- and inactive data such as documentation related to sales, service, legal and finance.



Jump to comments

data retention policy

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

What People Are Saying

White Papers & Webcasts

Death to PST Files
Download Now  

Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".

eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!  

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...


IT Jobs