Wednesday, June 06, 2012

The Seven Deadly Sins of Records Retention

The Seven Deadly Sins of Records Retention.  Sarah D. Scalet. CSO Security and Risk.  July 01, 2006.
 Legal actions in the past few years have made document retention programs important. One wrong step can cost an organization money.  Some have concluded that they should archive, forever, anything and everything to be on the safe side. But keeping too much information is a risk too, as you can expose yourself to litigation risks, and possibly violating privacy rights. 
1.       Not keeping your records straight from your backup.
  • The first step to a good records management program is simply identifying what a record is. E-mail servers and network drives get backed up to keep the business running. But a record is "something that you need to keep around for a set period of time, either for regulatory, legal or business reasons. Records encompass both structured information, like financial transactions ... and unstructured information, like financial spreadsheets." 
  • "while backup media may be in a continual state of being written and overwritten, records that must legally be retained often need to be stored on immutable, nonrewritable storage, and should be either very well-organized, very easily searched or both.
2.       Expecting the legal department to produce a rule of thumb for how long to store records.
3.       Assuming that document retention is someone else's job.
4.       Not being able to respond quickly to a request.
5.       Having a policy you can't follow.
6.       Failing to offer guidance on how to destroy old records.
7.       Telling people to delete information at the wrong time.
Start with an accurate survey of the information that's in the organization, a data map.
"At the end of the day, you have to have some sort of written policy around it."

No comments: