Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > How to properly protect and retain data
Ask The Security Expert: Questions & Answers
EMAIL THIS

How to properly protect and retain data

Shon Harris, past SearchSecurity.com expert EXPERT RESPONSE FROM: Shon Harris, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 12 June 2006
Are there any best practices for creating a records and/or data retention policy? High turnover causes "brain drain" and loss of completed work because users store information on their hard drives or in their email.


BROWSE BY TAG
Expert Archive: Security Management,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Enterprise Data Protection,   Enterprise Data Governance,   Data Loss Prevention,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Expert Archive: Security Management
What is the GISP certification and how does it compare to the CISSP certification?
Using a QSA to write up a PCI DSS report on compliance (ROC)
How can gap analysis be applied to the security SDLC?
Comparing low-cost security appliances to bigger, pricier appliances
What are some tips on protecting my security budget in a poor economy?
What value do research firms provide to their subscribing enterprises?
What certificate offers the best ROI for an IT project manager?
Is insider activity or outsider activity a bigger enterprise threat?
How does information security prevent fraud in the enterprise?
Differences between an SAS 70 data center and a Tier III data center

Information Security Policies, Procedures and Guidelines
Cybersecurity czar candidate questions clout of new position
Incident response planning
The basics of enterprise GRC project management
RSA council addresses growing security risks in the cloud
How to write a risk methodology that blends business, security needs
Risk management must include physical-logical security convergence
DHS fills National Cybersecurity Center post
New partnerships, creative thinking help security bust recession
Experts optimistic of Obama cybersecurity plan
WH cybersecurity plan needs private sector guidance

Enterprise Data Governance
Risk management must include physical-logical security convergence
Simple information security mistakes can cause data loss, says expert
Organizations struggle with data leakage prevention, rights management
Encryption in data management should never be ignored, expert says
Attackers cash in on fundamental data handling mistakes, Verizon finds
Data loss prevention benefits in the real world
Mass., Nev. data protection laws wrong, ineffective
Cybersecurity hearing highlights inadequacy of PCI DSS
Enforcing a vendor risk assessment to avoid outsourcing security risks
How to Secure Cloud Computing

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
defense in depth  (SearchSecurity.com)
non-disclosure agreement  (SearchSecurity.com)
security policy  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


This is a common concern for many organizations and it requires a few solutions that work together in a synergistic manner. Although your question pertains to an organization's intellectual property, you may also need to look at this issue from a regulatory perspective. Different regulations require organizations to retain certain types of records for specific amounts of time. Therefore, there is not only the threat of losing work that the company has paid to be completed, but also penalties of being non-compliant to certain laws and regulations. Not properly protecting data can also bring about lawsuits and potentially criminal offenses. However, because the crux of this question is about productivity degradation, let's examine it from this perspective.

One of the best ways to handle this situation is to create a holistic backup solution. In many software development environments, programmers must save their work to a central source save database, which is usually backed-up each night. This ensures that work is not lost if a hard drive fails.

You could also setup automated backup jobs to back up specific directories on servers and workers' workstations. This can occur each night or every Friday night depending on what makes sense for your organization. With this approach an organization would retain a good amount of data that can potentially be used if an employee leaves the company. It would be wise to include a clause in your policy that informs employees that if they want to access a Web site, they will have to physically sign or click 'Yes.' Doing so, will help you avoid someone claiming to have had an expectation of privacy. You should also consult with your legal counsel when creating this policy to make sure your company is properly protected.

Another more costly approach is to implement a storage area network (SAN). Companies usually implement SANs because they have a lot of data to store and keep track of, not because they are afraid of the data leaving the organization, so this could be overkill for your needs.

Finally, your organization can look at various data backup solutions, SANs, email archiving systems and electronic content management repositories.

If you're interested in learning about email archiving, visit our sister site SearchSMB.com to read the tip, Top 10 best practices for email archiving:

  • http://searchsmb.techtarget.com/tip/1,289483,sid44_gci1159997,00.html
  • To learn more about data retention and archiving, please review the following Web site:

  • http://www.complianceresources.org/solutions/record_retention.html
  • Although there isn't necessarily a standard on how to write a retention policy, the following SANs paper provides some direction and a template:

  • http://www.sans.org/rr/whitepapers/backup/514.php
  • The following are some example policies:

  • http://www.pitt.edu/~provost/retention.html
  • http://www.olemiss.edu/depts/telephone_exchange/Records/RECORDS.htm
  • http://process.umn.edu/groups/ppd/documents/policy/record_retention.cfm
  • http://www.dartmouth.edu/~osp/resources/policies/dartmouth/dataretention.html
  • For More Infomation:

  • Create an effective storage security policy.
  • Learn how to create and manage security policies.



  • Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
      TechTarget - The IT Media ROI Experts