Re: Data Retention Policy -- MIDRANGE-L

I don't think we're really in disagreement. IT manages the records, yes.
That's the implementation of the policy that I mentioned. In, as you noted,
compliance with regs and the company's needs (as defined by the policy that
was created by the company with guidance from Legal).

Maybe I should have added that IT can and should act as a trusted adviser to
the business, but IT really cannot not be expected to know the legal and
corporate value of the data it manages. Advice should be to the extent of
how the data management can be technologically achieved in a manner that
suits the company's needs and budget limits.

As with all other employees, IT staff needs to use due care when managing
data, and certainly if anything blatantly illegal is asked of an employee
then the employee has a responsibility to notify the appropriate people -
internal or otherwise. To that end the employee should be provided with a
reasonable understanding of the nature of the data they are managing; i.e.
data classification is needed before you can determine retention.

On Tue, Jul 20, 2010 at 10:05 AM, Dan Kimmel <dkimmel@xxxxxxxxxxxxxxx>wrote:

I disagree with your assessment that records retention policy is not the
responsibility of IT. More and more it is the CIO's job to manage
company records in compliance with government regulations and company
legal and audit needs. Check this article from Forbes:
http://www.forbes.com/2010/07/17/security-documents-symantec-technology-
cio-network-legal.html?boxes=Homepagechannels<http://www.forbes.com/2010/07/17/security-documents-symantec-technology-%0Acio-network-legal.html?boxes=Homepagechannels>

Other departments may be responsible for defining the retention policy
but it is the IT office's job to "get'er done". I think IT should
participate in the defintion of the retention policy.

Gross negligence or disregard of retention requirements is likely to
land the CIO in jail if records, particularly eDiscovery documents,
can't be produced. Failure to comply with the spirit of a legal hold
order will result in expensive sanctions against the company that will
reflect on the CIO's performance.

Look for retention policy information at www.aiim.org. AIIM has done
lots of work in accumulating information. Most of the information is
available without creating an account. If you choose to create an
account, AIIM is very respectful of your eMail volume.

Dan Kimmel

--

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 7:41 AM
To: Midrange Systems Technical Discussion; RMunday@xxxxxxxxxxxxx
Subject: Re: Data Retention Policy

(Replying to you & the list)

I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data, not
the owner. These are matters for Legal and the business leaders to
determine.
IT's job is merely to implement. If you think the company's guidance is
inadequate, respond once in writing/retained electronic communication to
air your opinion. If you're shot down, you've at least established that
you opposed the decision should the retention be an issue in the future.

Data retention is only part of the story. The other part is data
ownership & classification. Classify the data and the owner can
determine the appropriate retention.

Corporate financial data, for instance, probably does need to be 7 years
for tax & maybe SEC purposes. However, that doesn't mean all backups;
probably just the year-end would suffice. Your CFO or their delegate
should determine the retention (with input from Legal).

HR-type data may have a different retention.

Legal contract data may have something else, like contract length + x
years.

Email & other electronic communications (don't forget to keep corporate
IM
conversations) may have an entirely different requirement.

Where the company resides may impact things as well as some states will
mandate longer retentions than other states. This will most likely
apply to HR-type data.

PCI, HIPAA, FDA, and other private/governmental contracts/legislation
may have applicable guidelines. You may have clients that contractually
require you to retain data for x years. I doubt Stein Mart does but my
employer deals with client financial data so we do.

Don't forget that "financial data" may include not only database files
but QHST and other log files from the system hosting the database. In
general you get a buy on log files - 90 days to 6 months is adequate -
but some businesses may want more. Legal should provide guidance as log
files would only be needed for forensic/dispute resolution purposes.

There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-rete
ntion-policy_514(PDF)<http://www.sans.org/reading_room/whitepapers/backup/electronic-data-rete%0Antion-policy_514%28PDF%29>
.
It's the top hit when Googling for "data retention policies"

If you have access to the company CISO/CSO, you might consult with them.
They'd be in a better position to provide related guidance.

BTW, since this is under review now, it wouldn't hurt to ask how backups
should be stored. Is encryption required? What requirements must the
off-site facility meet? And so on.

Best of luck,

On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday
<rwmunday@xxxxxxxxxxxxx>wrote:

Greetings from sunny Florida.

I am charged with codifying our company's data retention policy.

The

official company policy document lists most of our data media as

having a

seven year retention. This also mirrors what the IRS requires from
what I
have been able to research. Upper management does not agree with

seven

years and thinks it's a lower figure.

What is your company's data retention policy? Other than IRS.gov,

where

can I find a definitive answer to the time interval required?

Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do not

have
access to my online e-mail at work.

Thanks,

Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.