Security Manager's Journal: Writing a data retention policy isn't as simple as it sounds
Establishing a policy on how long data must be retained seems easy enough. It isn't. For starters, not all data is the same.
At Issue: It's time for the company to set a new policy on data retention.
Action Plan: Normally, our manager would want to write it. But this time, it's better to let the lawyers take charge.
I got lunch in the company cafeteria last week, and we may end up saving over $40,000 a month as a result.
That's because I bumped into our head legal counsel while waiting in line. "When," I asked, "are we going to drop the requirement to retain all data?"
For several years, we have been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. This ban arose from a stock-options grant investigation, now long concluded. Being barred from overwriting backup tapes comes at a cost; we're spending about $40,000 a month just for new tapes. More costs arise because we are prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.
Couldn't we relax the retention policy and get back to a normal state of affairs? I asked him. Yes, we could, he said, but not until we create a comprehensive data-retention policy. You could help, he said.
Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. Sounds simple, right? The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.
This week, I went to a meeting called by the head attorney. He started off by explaining that he had hired external legal counsel to help define the new policy. At first I felt somewhat offended, since I had expected to be responsible for developing the policy. By the end of the meeting, though, I felt more than happy to simply assist while leaving all the heavy lifting to the third party.
You see, a comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, we need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data -- e-mail, chat logs, Unix system logs, and firewall and VPN logs, for example -- and inactive data such as documentation related to sales, service, legal and finance.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts