You are here  IT Management Risk Management

What are some best practices for retaining data in a highly regulated business environment?

Wednesday 14 March 2007 12:00
@33538 Have a good information retention policy. I see a lot of organizations where they retain backups or copies of databases, but they don't know why they're retaining it or for how long. This not only demands storage space, but can also consume network bandwidth, CPU cycles and present a potential liability issue by retaining vast quantities of sensitive information that are susceptible to attack. There's no need to reinvent the wheel. Sample policies can easily be obtained from sources on the Internet.

If possible, the storage administrator or network administrator should try to get other people involved in the retention process. Don't develop a retention policy on your own; mainly because you won't be able to enforce it, especially if management has not bought into it. Perhaps create a compliance committee or IT governance committee to form the foundation of retention practices that encompass technical issues, as well as business considerations, including legal and human resources.

Remember that it's not just about laws and regulations. You're also potentially dealing with litigation and discovery requests, so you must determine what to keep and how long it really needs to be kept. If you retain data longer than necessary, it can actually create some liabilities during litigation. The information you're retaining must be searchable and retrievable within a timely manner, so use the technology, such as content indexing, to support retention. The faster a storage organization can facilitate an investigation or discovery request, the less expensive and disruptive it will be to the business.

You must also demonstrate that you have a secure storage environment for all of the data and information being protected. If trouble strikes and investigation proves that you do not have secure storage or a sound retention policy, or are not following the established policy, it will create additional legal problems for the enterprise.

Listen to the Storage Security FAQ audiocast here.

Go to the beginning of the Storage Security FAQ Guide.
An error occurred on this page.
An error occurred on this page.