In many organizations, data and records retention is not the IT department's responsibility. Some large companies have been known to dedicate an entire department to keep up with data and records retention compliance issues. Does this mean that the IT folks don't need to worry about retention issues? Just the opposite is true.
From an IT management point of view, business-critical data must be maintained in a logical, easily retrievable manner. The challenge for Windows managers is determining what data to keep, how long to keep it, who should have access to it and where to securely store it.
Groups within an enterprise must work together to ensure data retention compliance is met. These groups include the legal department and the IT shop, along with finance, information security, auditing and the operations departments.
Many types of data need retention schedules. Some of the most important data types that address regulatory, auditing and e-discovery retention requirements include the following:
- Access logs to files containing personally identifiable information
- Server configuration change logs
- Logs of website visits
- Application and security settings
- System log overwrites
- Evidence files as specified by legal counsel
- Security logs
After setting retention schedules, Windows managers need to follow up to make sure the Windows servers are configured accordingly.
Establishing data retention requirements
Windows managers should learn what the requirements are at their organizations to ensure data retention compliance. To do this, they have to know the data retention policies.
IT managers should find and carefully review the policies, then create procedures that ensure compliance. Once procedures are created, they should meet with the information security and data retention teams to make sure the procedures address all potential retention issues.
Here are three fundamental components of regulatory compliance within Windows environments that address data retention challenges:
Archiving -- Securely archiving accurate data, along with corresponding audit trails, is required to help ensure the integrity of data and to verify data as being original or an accurate copy of the original.
Retention time -- Retaining specified types of data for a predetermined length of time that is most appropriate for compliance with a wide variety of regulatory, contractual and industry standards.
E-discovery -- Establishing procedures and using tools to quickly access specific electronically-stored information for legal discovery purposes.
Meeting data retention compliance
To meet regulatory compliance, Windows managers must know which regulatory and standards requirements apply to their organizations and determine and document procedures to answer and support the following questions:
- What does your organization's data retention policy say?
- How and where will your organization archive these specified records and reports for these data types?
- How will you ensure each type of data record is retained for the required time periods?
- How will you ensure that only individuals with a business need can access the records?
- How will you validate that the records are all irreversibly destroyed at the end of the specified retention periods? For example, if your email policy states that email will be kept for one year and then destroyed, then you'd better make sure your email backup tapes are not retained for longer than one year.
- What tools will be used to find specific data items within the records if your organization is audited or becomes involved in a court case that requires e-discovery?
The retention periods for specific data records on Windows servers will hinge upon an organization's policies. If data retention policies and procedures are not established, Windows managers may be expected to restore and retrieve data from backup media if the organization becomes embroiled in a legal process that requires e-discovery or if an auditor asks the organization to produce specific data.
Data retention is an important business concern that IT departments must understand and support through appropriate data retention practices and procedures. Make sure Windows server retention policies exist in your organization and that solid procedures are in place to support them.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in
IT, information security, privacy and compliance and is the owner and principal of Rebecca Herold
LLC. She is an adjunct professor for the Norwich University Master of Science in Information
Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in September 2008