How to properly protect and retain data

BROWSE BY TAG Expert Archive: Security Management,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Enterprise Data Protection,   Enterprise Data Governance,   Data Loss Prevention,   VIEW ALL TAGS

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Shon Harris, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED June 2006:
This is a common concern for many organizations and it requires a few solutions that work together in a synergistic manner. Although your question pertains to an organization's intellectual property, you may also need to look at this issue from a regulatory perspective. Different regulations require organizations to retain certain types of records for specific amounts of time. Therefore, there is not only the threat of losing work that the company has paid to be completed, but also penalties of being non-compliant to certain laws and regulations. Not properly protecting data can also bring about lawsuits and potentially criminal offenses. However, because the crux of this question is about productivity degradation, let's examine it from this perspective.

One of the best ways to handle this situation is to create a holistic backup solution. In many software development environments, programmers must save their work to a central source save database, which is usually backed-up each night. This ensures that work is not lost if a hard drive fails.

You could also setup automated backup jobs to back up specific directories on servers and workers' workstations. This can occur each night or every Friday night depending on what makes sense for your organization. With this approach an organization would retain a good amount of data that can potentially be used if an employee leaves the company. It would be wise to include a clause in your policy that informs employees that if they want to access a Web site, they will have to physically sign or click 'Yes.' Doing so, will help you avoid someone claiming to have had an expectation of privacy. You should also consult with your legal counsel when creating this policy to make sure your company is properly protected.

Another more costly approach is to implement a storage area network (SAN). Companies usually implement SANs because they have a lot of data to store and keep track of, not because they are afraid of the data leaving the organization, so this could be overkill for your needs.

Finally, your organization can look at various data backup solutions, SANs, email archiving systems and electronic content management repositories.

If you're interested in learning about email archiving, visit our sister site SearchSMB.com to read the tip, Top 10 best practices for email archiving:

To learn more about data retention and archiving, please review the following Web site:

Although there isn't necessarily a standard on how to write a retention policy, the following SANs paper provides some direction and a template:

The following are some example policies:

For More Infomation: