Data retention is one of those unsexy areas of IT management that we know needs to be addressed but would rather ignore. Besides, that’s what your legal team is for, right?
Well, not really. And unfortunately, data retention is not something you can avoid. There are real ramifications if your business doesn’t properly retain and protect email messages, especially once there’s notice of a lawsuit. In addition, you can also create unnecessary business risks by holding onto Exchange email too long.
Data retention policy dos and don’ts
Exchange data retention is a science, not an art. You must have a clear and concise idea of what your business is willing to take on. Otherwise, you run the risk of increased liability, spoiled evidence and numerous other negative side effects when lawyers get involved.
Some companies think it’s as simple as saying, “We’re saving all email indefinitely” or “We should try to save what’s needed, and then delete everything else after a year or so.” It’s not.
Another common gaffe is when in-house legal counsel downloads a template off the Web and pulls a random retention time out of the air. Some people mistakenly think that this is enough for an effective data retention policy.
Who and what data retention policies should include
To assemble an effective data retention policy -- especially for Microsoft Exchange Server -- all the right people need to
- Legal -- To ensure that accurate retention and legal hold times are used.
- Human resources -- To ensure acceptable usage policies and other employee matters are enforced.
- Operations -- To ensure that all business units are on board.
- IT -- To ensure that all technical aspects are addressed.
- Security -- To ensure that policies are being enforced and that data is properly protected
A successful Exchange data retention policy must take the following into account:
- The various types of data stored in Exchange, not just email
- All versions of Exchange currently running in your environment
- All of the email sitting around on backup tapes, external drives and the legacy servers stored away in your data center. It should also include the Exchange data that’s pushed from servers, workstations and smartphones to online backup services in the cloud.
- All regulations, contracts and policies. This includes specific laws like HIPAA, HITECH, and GLBA. It should also encompass business partner agreements and internal policies involving backups, disaster recovery, incident response, etc.
Your data retention policy should also utilize built-in Exchange functionality, or perhaps even better, a third-party data retention application for actual enforcement, visibility and ongoing administration. It should also follow a security policy template format that is easy to read, understand and manage.
Also, make sure to integrate your data retention plan with your overall records retention program. Get the right people on board, and come up with a game plan for determining what Exchange data you’ve got, where it’s located and whether it needs to be retained or dumped. Put something in place now and be done with it before it before your business gets bitten. .
About the author: Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
This was first published in June 2011