× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Can you link to the legislation that makes the owner of data not responsible
for overseeing it through it's lifecycle? Every information management
framework from COBIT to ITIL to ISO17799/27001/27002 uses an information
owner from the business, not IT (unless IT _is_ the business owner), so I'll
need proof if I'm to tell my C-level executives that they', along with our
legal staff, are all wrong.

Yes, IT is responsible for providing records in an eDiscovery effort.
However, the CIO and IT staff are only responsible for doing so within the
constraints of the company's retention policy. IT cannot produce records
they were not charged with retaining.

IT can assist with developing the policies but the senior executives are the
only ones who have the authority to make them official.

On Tue, Jul 20, 2010 at 11:54 AM, Dan Kimmel <dkimmel@xxxxxxxxxxxxxxx>wrote:

I believe new law and legal findings make IT responsible. The eDiscovery
legislation of, I believe, 2008 actually makes it the responsibility of
the CIO to establish a policy for the retention of eMail and what to do
if a legal hold is decreed. IT needs to consult with legal when
establishing the policy, of course.

The law recognizes that IT doesn't have the legal knowledge to do
everything and thereby recognizes a "best effort" as adequate in terms
of sanctions against IT staff. Yet, the company is going to rely
mightily on the opinions and actions of the CIO and sanctions against
the company as a result of an inadequate "best effort" are going to
reflect on the competency of the IT staff.

The eDiscovery statutes, in my opinion, recognize that IT is the de
facto custodian of company records particularly with regard to eMail. I
think we'll find over years that this custodianship will be extended by
the courts to all records of the company.

IT needs to take charge and manage the retention policies as well as the
retention of company records.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 10:58 AM
To: Midrange Systems Technical Discussion
Subject: Re: Data Retention Policy

I don't think we're really in disagreement. IT manages the records,
yes.
That's the implementation of the policy that I mentioned. In, as you
noted, compliance with regs and the company's needs (as defined by the
policy that was created by the company with guidance from Legal).

Maybe I should have added that IT can and should act as a trusted
adviser to the business, but IT really cannot not be expected to know
the legal and corporate value of the data it manages. Advice should be
to the extent of how the data management can be technologically achieved
in a manner that suits the company's needs and budget limits.

As with all other employees, IT staff needs to use due care when
managing data, and certainly if anything blatantly illegal is asked of
an employee then the employee has a responsibility to notify the
appropriate people - internal or otherwise. To that end the employee
should be provided with a reasonable understanding of the nature of the
data they are managing; i.e.
data classification is needed before you can determine retention.

On Tue, Jul 20, 2010 at 10:05 AM, Dan Kimmel
<dkimmel@xxxxxxxxxxxxxxx>wrote:

I disagree with your assessment that records retention policy is not
the responsibility of IT. More and more it is the CIO's job to manage
company records in compliance with government regulations and company
legal and audit needs. Check this article from Forbes:
http://www.forbes.com/2010/07/17/security-documents-symantec-technolog
y-
cio-network-legal.html?boxes=Homepagechannels<http://www.forbes.com/20
10/07/17/security-documents-symantec-technology-%0Acio-network-legal.h
tml?boxes=Homepagechannels>

Other departments may be responsible for defining the retention policy

but it is the IT office's job to "get'er done". I think IT should
participate in the defintion of the retention policy.

Gross negligence or disregard of retention requirements is likely to
land the CIO in jail if records, particularly eDiscovery documents,
can't be produced. Failure to comply with the spirit of a legal hold
order will result in expensive sanctions against the company that will

reflect on the CIO's performance.

Look for retention policy information at www.aiim.org. AIIM has done
lots of work in accumulating information. Most of the information is
available without creating an account. If you choose to create an
account, AIIM is very respectful of your eMail volume.

Dan Kimmel

--


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 7:41 AM
To: Midrange Systems Technical Discussion; RMunday@xxxxxxxxxxxxx
Subject: Re: Data Retention Policy

(Replying to you & the list)

I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data, not

the owner. These are matters for Legal and the business leaders to
determine.
IT's job is merely to implement. If you think the company's guidance
is inadequate, respond once in writing/retained electronic
communication to air your opinion. If you're shot down, you've at
least established that you opposed the decision should the retention
be an issue in the future.

Data retention is only part of the story. The other part is data
ownership & classification. Classify the data and the owner can
determine the appropriate retention.

Corporate financial data, for instance, probably does need to be 7
years for tax & maybe SEC purposes. However, that doesn't mean all
backups; probably just the year-end would suffice. Your CFO or their
delegate should determine the retention (with input from Legal).

HR-type data may have a different retention.

Legal contract data may have something else, like contract length + x
years.

Email & other electronic communications (don't forget to keep
corporate IM
conversations) may have an entirely different requirement.

Where the company resides may impact things as well as some states
will mandate longer retentions than other states. This will most
likely apply to HR-type data.

PCI, HIPAA, FDA, and other private/governmental contracts/legislation
may have applicable guidelines. You may have clients that
contractually require you to retain data for x years. I doubt Stein
Mart does but my employer deals with client financial data so we do.

Don't forget that "financial data" may include not only database files

but QHST and other log files from the system hosting the database. In

general you get a buy on log files - 90 days to 6 months is adequate -

but some businesses may want more. Legal should provide guidance as
log files would only be needed for forensic/dispute resolution
purposes.


There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-re
te
ntion-policy_514(PDF)<http://www.sans.org/reading_room/whitepapers/bac
kup/electronic-data-rete%0Antion-policy_514%28PDF%29>
.
It's the top hit when Googling for "data retention policies"


If you have access to the company CISO/CSO, you might consult with
them.
They'd be in a better position to provide related guidance.

BTW, since this is under review now, it wouldn't hurt to ask how
backups should be stored. Is encryption required? What requirements
must the off-site facility meet? And so on.

Best of luck,

On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday
<rwmunday@xxxxxxxxxxxxx>wrote:

Greetings from sunny Florida.

I am charged with codifying our company's data retention policy.
The
official company policy document lists most of our data media as
having a
seven year retention. This also mirrors what the IRS requires
from what I
have been able to research. Upper management does not agree with
seven
years and thinks it's a lower figure.

What is your company's data retention policy? Other than IRS.gov,
where
can I find a definitive answer to the time interval required?

Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do
not

have
access to my online e-mail at work.

Thanks,

Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.