Review data holdings at least once a year; add a "space used/space free" report line to the daily checklist.
You need copies of data for backups and legal
In a February 2001 Computerworld article entitled, "Destroy E-Mail, and Find Trouble," legal expert Emily Frye said, "Almost every organization in the U.S. uses e-mail to conduct business, and that results in business records. By their very nature (and often by law), business records must be managed throughout their lifecycles, not arbitrarily destroyed or preserved. Ultimately, business records are designed to serve as evidence in a court of law. They tell a story about how an organization conducted its business. If your company conducted its business electronically and can no longer show how it did so, then it has destroyed documents that both you and a potential legal adversary have the right to see and use in court. An e-mail management policy needs to incorporate the answers to two questions. First, which components of a company's e-mail contain business, historic or legal value? And second, how can an e-mail system be mapped to industry-specific laws and regulations that apply to records management procedures?" These questions can be extrapolated to all of the data records your systems keep, not just e-mail.
Assuming you are auditing, a full audit partition (not the entire system, just the section where audit logs are written) will normally do one of three things: 1) write over the oldest log entries; 2) alert you and stop auditing but continue to process; or 3) stop the entire system. Be sure you know what auditing characteristics are required from a legal standpoint. If your systems are set to act like items 1 or 2, be prepared to explain to an auditor why your auditing logs aren't intact if you need to research an issue or are taken to court. If the third auditing characteristic is your operating requirement, ensure your system has adequate space so availability of service isn't impacted.
Determine which of your organization's files contain business, historic or legal value. Then you and management decide what specific laws and regulations apply to records management procedures in your industry and devise your organization's data storage strategy. Urge users to delete multiple copies of files over 1 MB, or at least copies older than say, two years. Do the same for your servers, especially the space hogs like the e-mail and auditing servers, in accordance with your legal requirements. The good news/bad news in the storage department is that while storage methodologies are growing at fabulous rates, so are the amounts of bits needed to save files like graphics, video and the like. As a result of this task, assess whether you will need additional storage. Your daily systems checklist also should include a space used/free report (disk usage or percentage of disk full). Most systems automatically alert when a system reaches a certain default capacity. Usually this is 80%. If you have space-intensive files, you may want to change the notification threshold to something like 70%.
Operating manuals will tell you what the default space and auditing notification thresholds are set to. For information on legal requirements for saving business records, check with your legal counsel, any formal government oversight organizations that you must follow or your industry's leading professional association. Or you can adapt and adopt industry best practices as guidelines from auditors like KPMG, Ernst and Young, PricewaterhouseCoopers, etc.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:email@example.com.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in April 2004