× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2010

Re: Data Retention Policy

"As soon as you scan it, capture it, or otherwise originate or convert it in
electronic media, IT at least shares responsibility."

IT's responsibility is to carry out the policy. IT might help the data
owner to come up with the policy but their main responsibility is to carry
it out.

Re: holding backups for longer than needed

That's another policy item. The retention policy needs to spell out if
retention guidelines are the minimum acceptable or both minimum & maximum;
i.e. at least 30 days v. exactly 30 days. Data destruction also needs to be
in the policy. For instance (and relative to the midrange community), is it
enough for the tape to expire & be ready for reuse or does it have to be
loaded & re-initialized?

"I'm not an expert on this topic. I'm not familiar with COBIT or ITIL or
ISO17799, etc. You may be."

I'm not much on ITIL but have gone through COBIT and my employer is actively
organizing around ISO. I'm a CISSP (
https://www.isc2.org/cissp/default.aspx ) and grew into IT Security from
midrange sysadmin some time ago. The CISSP domains go beyond pure IT to
cover other aspects like law & compliance and physical security.

Our corporate governance is that the business units own & classify the
data. Once classified, appropriate retention (and destruction) is
determined. IT and other departments may assist but the owner has
responsibility. Once determined, it is implemented. Implementation goes
well beyond IT as there are still plenty of paper/non-electronic documents.
As much as we've gone paperless for expense reports, AP, AR, invoicing,
check remittance, and so on, we still have a bunch of high speed printers
that are kept busy killing trees, filling file cabinets, and filling boxes
for eventual off-site archiving.

This model has passed muster with our Legal department, internal audit, and
external audit. Our policies are also provided to clients as needed and
there hasn't been any significant pushback. Our clients include major banks
& financial services companies, health care providers, major manufacturers,
and even some technology companies like that one just outside of Seattle.

"A Chief INFORMATION Officer, by title has responsibility for the
INFORMATION in the organization."

Let's be honest. CIO is misleading. It should really be CITO. I've yet to
see a CIO of a major organization whose job duties scoped beyond IT &
telecomm. Those printers, paper documents, and archiving tasks are handled
by Office Services (which, like a lot of IT, has been outsourced).
Likewise, you see CSO and CISO titles; CISO is more accurate unless they
have responsibility for physical and other aspects of security.

"The law is about 20 years behind .."

The law is always behind. That problem is exacerbated in modern times as
legislators look to "do something" about problems that get media attention
instead of problems that need addressing. Hence we have
cell-phone-while-driving laws that were immediately antiquated as they
needed to be supplemented by anti-texting laws. Among all the hoopla and
sound bites it was ignored that distracted driving/reckless driving laws
have existed for decades, already covered the issue, and that the actual
problem is a lack of enforcement not a lack of legislation.

The law might not be so far behind if it wouldn't let itself get distracted
by the 6 o'clock news and the next reelection campaign.

What a sour note to end on.

On Tue, Jul 20, 2010 at 3:04 PM, Dan Kimmel <dkimmel@xxxxxxxxxxxxxxx> wrote:


Sorry, John, I'm not that good.

As long as the records are on paper, stone, or other media, IT doesn't
own them.

As soon as you scan it, capture it, or otherwise originate or convert it
in electronic media, IT at least shares responsibility.

The biggest mea culpa I've seen in my experience is keeping information
too long. You may have a policy to keep eMail for 30 days, for instance.
If you regularly back up the eMail server and keep the tapes for 18
months, those tapes become eligible for eDiscovery. Just because you
have them. If a legal proceeding comes along that might need one eMail
from a tape that is just about to expire or has just expired and you
knowingly destroy the tape, you (IT dept) become at least complicit in,
if not totally liable for, contempt of court.

The eDicovery ammendments to the Federal Rules of Civil Procedure went
into effect Dec 1, 2006, by the way.

I'm not an expert on this topic. I'm not familiar with COBIT or ITIL or
ISO17799, etc. You may be. I'm opining, however, that I see a trend in
statutes and case law toward involving IT in responsibility. And I think
it is the "right" thing. A Chief INFORMATION Officer, by title has
responsibility for the INFORMATION in the organization. The advent of
the CIO itself position marked a significant shift in the governance of
organizations toward encapsulating management of the records of the
organization in the office of one individual rather than the functional
or staff offices. The law is about 20 years behind this shift, but is
now catching up.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 12:40 PM
To: Midrange Systems Technical Discussion
Subject: Re: Data Retention Policy

Can you link to the legislation that makes the owner of data not
responsible for overseeing it through it's lifecycle? Every information
management framework from COBIT to ITIL to ISO17799/27001/27002 uses an
information owner from the business, not IT (unless IT _is_ the business
owner), so I'll need proof if I'm to tell my C-level executives that
they', along with our legal staff, are all wrong.

Yes, IT is responsible for providing records in an eDiscovery effort.
However, the CIO and IT staff are only responsible for doing so within
the constraints of the company's retention policy. IT cannot produce
records they were not charged with retaining.

IT can assist with developing the policies but the senior executives are
the only ones who have the authority to make them official.

On Tue, Jul 20, 2010 at 11:54 AM, Dan Kimmel
<dkimmel@xxxxxxxxxxxxxxx>wrote:

I believe new law and legal findings make IT responsible. The
eDiscovery legislation of, I believe, 2008 actually makes it the
responsibility of the CIO to establish a policy for the retention of
eMail and what to do if a legal hold is decreed. IT needs to consult
with legal when establishing the policy, of course.

The law recognizes that IT doesn't have the legal knowledge to do
everything and thereby recognizes a "best effort" as adequate in terms

of sanctions against IT staff. Yet, the company is going to rely
mightily on the opinions and actions of the CIO and sanctions against
the company as a result of an inadequate "best effort" are going to
reflect on the competency of the IT staff.

The eDiscovery statutes, in my opinion, recognize that IT is the de
facto custodian of company records particularly with regard to eMail.
I think we'll find over years that this custodianship will be extended

by the courts to all records of the company.

IT needs to take charge and manage the retention policies as well as
the retention of company records.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 10:58 AM
To: Midrange Systems Technical Discussion
Subject: Re: Data Retention Policy

I don't think we're really in disagreement. IT manages the records,
yes.
That's the implementation of the policy that I mentioned. In, as you
noted, compliance with regs and the company's needs (as defined by the

policy that was created by the company with guidance from Legal).

Maybe I should have added that IT can and should act as a trusted
adviser to the business, but IT really cannot not be expected to know
the legal and corporate value of the data it manages. Advice should
be to the extent of how the data management can be technologically
achieved in a manner that suits the company's needs and budget limits.

As with all other employees, IT staff needs to use due care when
managing data, and certainly if anything blatantly illegal is asked of

an employee then the employee has a responsibility to notify the
appropriate people - internal or otherwise. To that end the employee
should be provided with a reasonable understanding of the nature of
the data they are managing; i.e.
data classification is needed before you can determine retention.

On Tue, Jul 20, 2010 at 10:05 AM, Dan Kimmel
<dkimmel@xxxxxxxxxxxxxxx>wrote:

I disagree with your assessment that records retention policy is not

the responsibility of IT. More and more it is the CIO's job to
manage company records in compliance with government regulations and

company legal and audit needs. Check this article from Forbes:
http://www.forbes.com/2010/07/17/security-documents-symantec-technol
og
y-
cio-network-legal.html?boxes=Homepagechannels<http://www.forbes.com/
20
10/07/17/security-documents-symantec-technology-%0Acio-network-legal
.h
tml?boxes=Homepagechannels>

Other departments may be responsible for defining the retention
policy

but it is the IT office's job to "get'er done". I think IT should
participate in the defintion of the retention policy.

Gross negligence or disregard of retention requirements is likely to

land the CIO in jail if records, particularly eDiscovery documents,
can't be produced. Failure to comply with the spirit of a legal hold

order will result in expensive sanctions against the company that
will

reflect on the CIO's performance.

Look for retention policy information at www.aiim.org. AIIM has done

lots of work in accumulating information. Most of the information is

available without creating an account. If you choose to create an
account, AIIM is very respectful of your eMail volume.

Dan Kimmel

--


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Jones
Sent: Tuesday, July 20, 2010 7:41 AM
To: Midrange Systems Technical Discussion; RMunday@xxxxxxxxxxxxx
Subject: Re: Data Retention Policy

(Replying to you & the list)

I can't stress enough that it is not IT's job to determine data
classification & retention. IT is the custodian of business data,
not

the owner. These are matters for Legal and the business leaders to
determine.
IT's job is merely to implement. If you think the company's
guidance is inadequate, respond once in writing/retained electronic
communication to air your opinion. If you're shot down, you've at
least established that you opposed the decision should the retention
be an issue in the future.

Data retention is only part of the story. The other part is data
ownership & classification. Classify the data and the owner can
determine the appropriate retention.

Corporate financial data, for instance, probably does need to be 7
years for tax & maybe SEC purposes. However, that doesn't mean all
backups; probably just the year-end would suffice. Your CFO or
their delegate should determine the retention (with input from
Legal).

HR-type data may have a different retention.

Legal contract data may have something else, like contract length +
x years.

Email & other electronic communications (don't forget to keep
corporate IM
conversations) may have an entirely different requirement.

Where the company resides may impact things as well as some states
will mandate longer retentions than other states. This will most
likely apply to HR-type data.

PCI, HIPAA, FDA, and other private/governmental
contracts/legislation may have applicable guidelines. You may have
clients that contractually require you to retain data for x years.
I doubt Stein Mart does but my employer deals with client financial
data so we do.

Don't forget that "financial data" may include not only database
files

but QHST and other log files from the system hosting the database.
In

general you get a buy on log files - 90 days to 6 months is adequate

-

but some businesses may want more. Legal should provide guidance as

log files would only be needed for forensic/dispute resolution
purposes.


There's some good info out there, like this from SANS:
http://www.sans.org/reading_room/whitepapers/backup/electronic-data-
re
te
ntion-policy_514(PDF)<http://www.sans.org/reading_room/whitepapers/b
ac kup/electronic-data-rete%0Antion-policy_514%28PDF%29>
.
It's the top hit when Googling for "data retention policies"


If you have access to the company CISO/CSO, you might consult with
them.
They'd be in a better position to provide related guidance.

BTW, since this is under review now, it wouldn't hurt to ask how
backups should be stored. Is encryption required? What
requirements must the off-site facility meet? And so on.

Best of luck,

On Tue, Jul 20, 2010 at 6:55 AM, Robert Munday
<rwmunday@xxxxxxxxxxxxx>wrote:

Greetings from sunny Florida.

I am charged with codifying our company's data retention policy.
The
official company policy document lists most of our data media as
having a
seven year retention. This also mirrors what the IRS requires
from what I
have been able to research. Upper management does not agree
with
seven
years and thinks it's a lower figure.

What is your company's data retention policy? Other than
IRS.gov,
where
can I find a definitive answer to the time interval required?

Please reply to my work address at RMunday@xxxxxxxxxxxxx as I do

not

have
access to my online e-mail at work.

Thanks,

Robert Munday
Munday Software Consultants
Montgomery, AL
on assignment in Jacksonville, FL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
JJ
4 Out of 3 people have trouble with fractions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.