the best approach is to circle the wagons with legal, hr and other senior
management around a corp. retention policy. once agreed to, said policy
can be monitored by ITS. As others have said, it is a moving target and
will remain so. best example of an industry which has already been down
this path is broker dealers. I try and manage my solutions to the higher
level drive by establish broker dealer laws. regulators are familiar with
these laws and importantly, with solutions established around them.
therefore you have a much better chance of achieving some level of
reasonable compliance.
Chuck Hutchings <chuck@netserco.com>
11/12/2004 12:02 PM
Please respond to chuck
To: Robert Mezzone <Robert.Mezzone@PJSolomon.Com>
cc: security-management@securityfocus.com
Subject: Re: Email Retention Policy
I also work in the financial sector, and am addressing this same problem
right now. There is no industry wide standard as far as I know, and I also
would like to see one. At the moment, I'm facing the possibility of
retaining emails for as long as seven years. The best I can say is that
"it depends" (in the words of Mark Rasch www.solutionary.com), and what it
mainly depends on is your security policy. If that says
that you keep emails for three years, then you keep them for three years,
and then eliminate them.
Chuck
Robert Mezzone wrote:
Is there a site that dicuss' what companies are doing regarding email and
document retention in a corporate environment, I couldn't find anything on
Google. I don't think think there is such a thing but thought I'd ask. My
impression is it's a policy put into place by corporate management, and
there is no industry wide standard, baring some government regulations of
course. I work in the financial industry, if that matters.
Thanks.
Robert
