I want to thank everyone who contributed. We've learned a lot.
Now my problem as the admin is how to organize the data, i.e. get users to
seperate it so I can archive the stuff I have to and delete the rest. We're
a small investment banking firm, mainly in an advisory mode, but do a couple
of security related deals a year that fall under NASD guidelines. So we
don't need a sophisticated system. Thant being said, getting users to change
is next to impossible.
Thanks again.
Robert
-----Original Message-----
From: Kuisle, John P. <JPKuisle@fedins.com>
To: security-management@securityfocus.com
<security-management@securityfocus.com>
Sent: Tue Nov 16 10:44:35 2004
Subject: RE: Email Retention Policy
I think David makes some excellent points. Bottom line is the retention is
only part of the broader 'records management' process, which includes
identification, categorization and classification of records. Legal and
functional reps should all be involved in the process. Once in place, these
things will help drive how long records are kept. In my opinion (which is
reinforced by the opinion of our legal department), an e-mail copy of
something should never be kept longer than you'd keep a paper copy of a
document. Just because you can save a digital copy of something in a small
space and tuck it away doesn't mean you should. Any information you do keep
could be discoverable in a legal matter and may cost your company not only
the legal penalties, but the time and effort it takes to retrieve the
information.
John Kuisle
IS Supervisor - Security and Business Recovery
Federated Mutual Insurance
507-455-5477
-----Original Message-----
From: levenick@sympatico.ca [mailto:levenick@sympatico.ca]
Sent: Friday, November 12, 2004 1:04 PM
To: security-management@securityfocus.com
Cc: Robert.Mezzone@PJSolomon.Com
Subject: Email Retention Policy
Before one can really decide how long records must be kept one should look
at defining the different type of documents there are. In my realm (Govt)
we define documents to include but not just limited to email as:
a. Transitory Records - is a record that is required only for a limited
time to ensure the completion of a routine action or the preparation of a
subsequent record. A transitory record is not a corporate record.
Examples of transitory records include:
· Information in a form used for casual communication;
· Copies used for convenience only; and
· Working drafts of letters, reports, and memos used for personal
reference (i.e., not communicated beyond the individual who created them);
and
b. Corporate Record - is recorded information, regardless of physical
form, that is created, collected or received in the initiation, conduct,
control or completion of a business or operational activity. A corporate
record includes sufficient content, context and structure to provide
evidence of a business or operational activity. Corporate records are used
to commit the resources of an organization, give direction or declare the
position or opinion of an organization on any business subject or issue.
Examples of corporate records would include:
· Records used in decision-making;
· Developing or implementing a policy, directive, or procedure; or
· Carrying out government activities.
If you would agree to the above then there would be no real requirement to
keep transitory records for any longer than personal requirements. I would
suggest that "Corporate documents" should be retained locally for at least a
min of two years then further archived (central headquarters or archive
dept) for at least 5 to ten years.
With regard to "Corporate Record" I would suggest that retention alone is
not sufficient. The "Corporate Record" should if in digital/electronic
format, be digitally signed using an approved method. My environment uses
the PKI/Entrust technologies to meet the mandate of digitally signing all
corporate documents.
David Levenick
Information Systems Security Officer
levenick@sympatico.ca
From: "Handy, Mark (IT)" <Mark.Handy@morganstanley.com>
Date: 2004/11/12 Fri PM 01:03:14 EST
To: <Robert.Mezzone@PJSolomon.Com>,
<security-management@securityfocus.com>
Subject: Re: Email Retention Policy
David Levenick
This e-mail and its attachments are intended only for the use of the
addressee(s) and may contain privileged, confidential or proprietary
information. If you are not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, displaying, copying,
or use of this information is strictly prohibited. If you have received this
communication in error, please inform the sender immediately and delete and
destroy any record of this message. Thank you.
