Before one can really decide how long records must be kept one should look at
defining the different type of documents there are. In my realm (Govt) we
define documents to include but not just limited to email as:
a. Transitory Records - is a record that is required only for a limited
time to ensure the completion of a routine action or the preparation of a
subsequent record. A transitory record is not a corporate record.
Examples of transitory records include:
· Information in a form used for casual communication;
· Copies used for convenience only; and
· Working drafts of letters, reports, and memos used for personal
reference (i.e., not communicated beyond the individual who created them); and
b. Corporate Record - is recorded information, regardless of physical
form, that is created, collected or received in the initiation, conduct,
control or completion of a business or operational activity. A corporate record
includes sufficient content, context and structure to provide evidence of a
business or operational activity. Corporate records are used to commit the
resources of an organization, give direction or declare the position or opinion
of an organization on any business subject or issue.
Examples of corporate records would include:
· Records used in decision-making;
· Developing or implementing a policy, directive, or procedure; or
· Carrying out government activities.
If you would agree to the above then there would be no real requirement to keep
transitory records for any longer than personal requirements. I would suggest
that ?Corporate documents? should be retained locally for at least a min of two
years then further archived (central headquarters or archive dept) for at least
5 to ten years.
With regard to ?Corporate Record? I would suggest that retention alone is not
sufficient. The ?Corporate Record? should if in digital/electronic format, be
digitally signed using an approved method. My environment uses the PKI/Entrust
technologies to meet the mandate of digitally signing all corporate documents.
David Levenick
Information Systems Security Officer
levenick@sympatico.ca
From: "Handy, Mark (IT)" <Mark.Handy@morganstanley.com>
Date: 2004/11/12 Fri PM 01:03:14 EST
To: <Robert.Mezzone@PJSolomon.Com>,
<security-management@securityfocus.com>
Subject: Re: Email Retention Policy
David Levenick
In most corporate environments, document retention periods would be set by regulatory requirements. It would then be up to the firm to ensure that data is accessible for the legally specified timeperiod.
As an example, UK financials must keep 7 years worth of ALL records.
-----Original Message-----
From: Robert Mezzone <Robert.Mezzone@PJSolomon.Com>
To: security-management@securityfocus.com <security-management@securityfocus.com>
Sent: Fri Nov 12 12:15:53 2004
Subject: Email Retention Policy
Is there a site that dicuss' what companies are doing regarding email and document retention in a corporate environment, I couldn't find anything on Google. I don't think think there is such a thing but thought I'd ask. My impression is it's a policy put into place by corporate management, and there is no industry wide standard, baring some government regulations of course. I work in the financial industry, if that matters.
Thanks.
Robert
NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited.
