Data retention, like security policy management, can be one of the most boring aspects of IT. That said, it's also one of the most critical elements to manage properly if you're going to minimize IT-related risks. Given the critical nature of email to most businesses, Microsoft Exchange should be front and center in any given email data retention program.
Interestingly, it's rare for me to see any business, nonprofit or government agency have any formal email retention program. Of the data retention programs I've seen, they're often handled in much the same way physical security is handled -- siloed, at best. Typically, legal counsel or someone in executive management will have a policy or standard outlining how the business retains email that makes little or no reference to data classification. All data deemed pertinent to the business -- including email and files -- is lumped together in a paragraph or two covering what's stored and for how long.
When looking at the IT and security side of the equation, something totally different is taking place with email data retention. The underlying technical requirements are usually met. But the challenges come into play with email when Exchange data isn't retained long enough or it's stored indefinitely in the cloud or in local PST files that users store on their workstations. It's sort of a free-for-all -- controlled chaos.
It's the email you don't know about that can cause trouble.
IT and Exchange admins are doing their best with what they've got. Ditto for legal and management teams. Still, multiple groups have a finger in the pie, and they're not talking to one another to ensure that what needs to be done is actually getting done. Lack of oversight is the longtime bane of security. Unfortunately, these issues often won't surface until an incident occurs or an email discovery request is made in the midst of a lawsuit. The last thing you need is to be unprepared when someone calls you on the carpet.
Here are some important questions you need to answer to ensure Exchange data is being properly retained:
- Who's in charge of email data retention oversight? Are you meeting with this person or committee on a regular basis to ensure you're all on the same page?
- What data retention policies, standards and processes currently exist? Do they fit in with your regulatory requirements? What about contractual requirements?
- How do email and your Exchange environment fit in? What data housed within Exchange (e.g., emails, file attachments and public folders) falls within the scope? Have you looked in every nook and cranny of your network and the cloud to find where email is stored? It's the email you don'tknow about that can cause trouble.
Here are five general steps you can take when it comes to data retention policies in Exchange: Document what needs to be retained. Know where everything is located. Retain what you say you're retaining. Do away with everything else you don't need. And most importantly, make sure Exchange data retention is consistent and going according to plan.
If you keep too much Exchange data, it can be a liability. It's also a liability when you don't keep enough, especially if you're violating your own data-retention policies. Exchange data retention is a business challenge and a legal issue. As an IT professional, you should be there to serve as a subject matter expert -- a purveyor of knowledge and administrator of technologies -- not to manage the entire data retention function.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.