RE: Data Retention Policy

It's interesting how much traffic this has generated. Good discussion.

It depends on how your business is organized. Where I've been involved with
such matters, though (a dozen times or so), the general consensus is that IT
are the *custodians* of the data, and their job in general is to manage
according to business rules and policies. It is seldom the responsibility
of IT to set such standards, though they invariably start the process. And,
frankly, in some businesses there's nobody else who will accept the task of
setting this policy, for whatever reason. But it is a "business rule," and
as such should usually be set by the "business."

Dennis Lovelady
http://www.linkedin.com/in/dennislovelady
--
"I am returning this otherwise good typing paper to you because someone has
printed gibberish all over it and put your name at the top.
-- English Professor, Ohio University

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
bounces@xxxxxxxxxxxx] On Behalf Of Dan Kimmel
Sent: Tuesday, July 20, 2010 11:05 AM
To: Midrange Systems Technical Discussion
Subject: RE: Data Retention Policy

I disagree with your assessment that records retention policy is not
the
responsibility of IT. More and more it is the CIO's job to manage
company records in compliance with government regulations and company
legal and audit needs. Check this article from Forbes:
http://www.forbes.com/2010/07/17/security-documents-symantec-
technology-
cio-network-legal.html?boxes=Homepagechannels

Other departments may be responsible for defining the retention policy
but it is the IT office's job to "get'er done". I think IT should
participate in the defintion of the retention policy.

Gross negligence or disregard of retention requirements is likely to
land the CIO in jail if records, particularly eDiscovery documents,
can't be produced. Failure to comply with the spirit of a legal hold
order will result in expensive sanctions against the company that will
reflect on the CIO's performance.

Look for retention policy information at www.aiim.org. AIIM has done
lots of work in accumulating information. Most of the information is
available without creating an account. If you choose to create an
account, AIIM is very respectful of your eMail volume.

Dan Kimmel

--


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 7:41 AM
To: Midrange Systems Technical Discussion; RMunday@xxxxxxxxxxxxx
Subject: Re: Data Retention Policy

(Replying to you & the list)

I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data, not
the owner. These are matters for Legal and the business leaders to
determine.
IT's job is merely to implement. If you think the company's guidance
is
inadequate, respond once in writing/retained electronic communication
to
air your opinion. If you're shot down, you've at least established
that
you opposed the decision should the retention be an issue in the future.

Data retention is only part of the story. The other part is data
ownership & classification. Classify the data and the owner can
determine the appropriate retention.

Corporate financial data, for instance, probably does need to be 7
years
for tax & maybe SEC purposes. However, that doesn't mean all backups;
probably just the year-end would suffice. Your CFO or their delegate
should determine the retention (with input from Legal).

HR-type data may have a different retention.

Legal contract data may have something else, like contract length + x
years.

Email & other electronic communications (don't forget to keep corporate
IM
conversations) may have an entirely different requirement.

Where the company resides may impact things as well as some states will
mandate longer retentions than other states. This will most likely
apply to HR-type data.

PCI, HIPAA, FDA, and other private/governmental contracts/legislation
may have applicable guidelines. You may have clients that
contractually
require you to retain data for x years. I doubt Stein Mart does but my
employer deals with client financial data so we do.

Don't forget that "financial data" may include not only database files
but QHST and other log files from the system hosting the database. In
general you get a buy on log files - 90 days to 6 months is adequate -
but some businesses may want more. Legal should provide guidance as
log
files would only be needed for forensic/dispute resolution purposes.


There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-
rete
ntion-policy_514(PDF).
It's the top hit when Googling for "data retention policies"


If you have access to the company CISO/CSO, you might consult with them.
They'd be in a better position to provide related guidance.

BTW, since this is under review now, it wouldn't hurt to ask how
backups
should be stored. Is encryption required? What requirements must the
off-site facility meet? And so on.

Best of luck,

On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday
<rwmunday@xxxxxxxxxxxxx>wrote:

Greetings from sunny Florida.

I am charged with codifying our company's data retention policy.

The

official company policy document lists most of our data media as

having a

seven year retention. This also mirrors what the IRS requires from
what I
have been able to research. Upper management does not agree with

seven

years and thinks it's a lower figure.

What is your company's data retention policy? Other than IRS.gov,

where

can I find a definitive answer to the time interval required?

Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do

not

have
access to my online e-mail at work.

Thanks,

Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL