Ask the Expert

SOX data retention policies: What to do with old software archives

Does Sarbanes-Oxley (SOX) require an organization to maintain the capability to produce all the data that the law requires be secured, even if the only way we can access some of that sensitive data anymore is by re-loading old software that we no longer use (thus, no longer have access to the data on a day-to-day basis)?

    Requires Free Membership to View

This is an interesting question that certainly can apply to other regulatory environments requiring access to old information as well. Please recall that the stated purpose of SOX is: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes." At first blush it seems appropriate to retain this information and secure it per SOX regulations, albeit in an outdated format.

That said, here are some questions to ask when deciding how to handle this data going forward:

  • Can this older information be transferred into other formats such as Adobe PDF or even common file types such as .txt, .cvs, etc.? If so, then you may only need to save the older records into a searchable format. (Of note, you can also hash this information for integrity checks and verifications later on.)

  • Can you outsource the data access to organizations that have standing capabilities to access and read data in older formats and system types? That way, your company does not need to maintain the necessary hardware and software to maintain access to the information.

Your best bet is to direct this question to your corporate auditor to ensure the decision that is made is consistent with the auditor's perceptions of how this data should be handled.

This was first published in March 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: