What are some best practices for retaining data in a highly regulated business environment?
Have a good information retention policy. I see a lot of organizations where they retain backups or copies of databases, but they don't know why they're retaining it or for how long...
If possible, the storage administrator or network administrator should try to get other people involved in the retention process. Don't develop a retention policy on your own; mainly because you won't be able to enforce it, especially if management has not bought into it. Perhaps create a compliance committee or IT governance committee to form the foundation of retention practices that encompass technical issues, as well as business considerations, including legal and human resources.
Remember that it's not just about laws and regulations. You're also potentially dealing with litigation and discovery requests, so you must determine what to keep and how long it really needs to be kept. If you retain data longer than necessary, it can actually create some liabilities during litigation. The information you're retaining must be searchable and retrievable within a timely manner, so use the technology, such as content indexing, to support retention. The faster a storage organization can facilitate an investigation or discovery request, the less expensive and disruptive it will be to the business.
You must also demonstrate that you have a secure storage environment for all of the data and information being protected. If trouble strikes and investigation proves that you do not have secure storage or a sound retention policy, or are not following the established policy, it will create additional legal problems for the enterprise.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
