The law firm I currently work at has asked me to implement a retention policy for our records department. This project will also include email retention. Do you have any suggestions on questions to ask when I meet with consultants?
Since you work for a law firm, I assume that you already have the policy in place and you are responsible for implementing products to enforce the policy. That may be a bad assumption, so let's review what that policy should look like. Now I'm not a lawyer, so any mission-critical policy (like record retention) should be jointly developed with either your internal or external legal counsel to make sure it adheres to all industry guidelines and/or regulatory requirements.
In your policy, you should define what type of data needs to be retained and for how long. You need to specifically
illustrate how the data will be retained -- what kind of media, off-site storage, with what data protection – especially for sensitive data. Discussing specific technologies isn't necessary since technology changes often, but you need to be as distinct as possible. Specifying how and when data will be destroyed is also important.
Relative to questions for consultants, you want to focus on a few critical areas relative to retention:
Data sources – How easy is it to pump data into an archiving system? Can it take information from all of your data sources automatically, or is it a manual process?
Data protection – How are records being stored and protected? An archive isn't useful if it's not available or if data is stolen.
Indexing and searching – E-discovery is a huge business nowadays, which means email and other electronic documents need to be easily accessible. You can mushroom the price of any discovery project by manually locating and retrieving data. Make sure all data is easily accessible to authorized parties.
For more information:
Learn how to enforce a data destruction policy in this SearchSecurity.com Q&A with platform security expert Michael Cobb.
Security expert Shon Harris explains how to properly store and protect data.
Dig deeper on Enterprise Data Governance
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.