(Replying to you & the list)
I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data, not the
owner. These are matters for Legal and the business leaders to determine.
IT's job is merely to implement. If you think the company's guidance is
inadequate, respond once in writing/retained electronic communication to air
your opinion. If you're shot down, you've at least established that you
opposed the decision should the retention be an issue in the future.
Data retention is only part of the story. The other part is data ownership
& classification. Classify the data and the owner can determine the
appropriate retention.
Corporate financial data, for instance, probably does need to be 7 years for
tax & maybe SEC purposes. However, that doesn't mean all backups; probably
just the year-end would suffice. Your CFO or their delegate should
determine the retention (with input from Legal).
HR-type data may have a different retention.
Legal contract data may have something else, like contract length + x years.
Email & other electronic communications (don't forget to keep corporate IM
conversations) may have an entirely different requirement.
Where the company resides may impact things as well as some states will
mandate longer retentions than other states. This will most likely apply to
HR-type data.
PCI, HIPAA, FDA, and other private/governmental contracts/legislation may
have applicable guidelines. You may have clients that contractually require
you to retain data for x years. I doubt Stein Mart does but my employer
deals with client financial data so we do.
Don't forget that "financial data" may include not only database files but
QHST and other log files from the system hosting the database. In general
you get a buy on log files - 90 days to 6 months is adequate - but some
businesses may want more. Legal should provide guidance as log files would
only be needed for forensic/dispute resolution purposes.
There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-retention-policy_514(PDF).
It's the top hit when Googling for "data retention policies"
If you have access to the company CISO/CSO, you might consult with them.
They'd be in a better position to provide related guidance.
BTW, since this is under review now, it wouldn't hurt to ask how backups
should be stored. Is encryption required? What requirements must the
off-site facility meet? And so on.
Best of luck,
On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday <rwmunday@xxxxxxxxxxxxx>wrote:
Greetings from sunny Florida.
I am charged with codifying our company's data retention policy. The
official company policy document lists most of our data media as having a
seven year retention. This also mirrors what the IRS requires from what
I
have been able to research. Upper management does not agree with seven
years and thinks it's a lower figure.
What is your company's data retention policy? Other than IRS.gov, where
can I find a definitive answer to the time interval required?
Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do not
have
access to my online e-mail at work.
Thanks,
Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
midrange.com
