E-mail retention security policy
What is a recommended e-mail retention policy? I understand e-mail retention will be different when dealing with an incident; however, what would be a sound policy and why?
This is such a tricky area, because it depends on a myriad of state, federal and other laws. I know that HIPAA, Sarbanes-Oxley Act, SEC, NASD and other federal regulations all have specific requirements on document retention that affect e-mail. Not being a lawyer and understanding your particular situation, it's hard to give a specific answer on this. I would suggest for starters reading the e-mail retention white paper
and possibly speaking with a lawyer or consultant about your specific circumstances.
For more info on this topic, please visit these SearchSecurity.com resources:
Security Policies Tip: The security policy document library -- Site Security Handbook
Security Policies Tip: Writing a security policy
White paper: Developing Effective Security Policies
This was first published in August 2003