View
3.597
Download
2
Category
Preview:
DESCRIPTION
Presentation to the Dayton Chapter of the Information System Security Association
Citation preview
Developing a Data Retention Policy
“Yep, son, we have met the enemy and he is us.”
- Pogo, 1971
Presented by:
Bill Lisse, CISSP, CISA, CGEIT, CHFI, GPCI, GHSC, CSSA
Technology & Risk Services Manager
Required Disclaimers
• Legal – The presenter is not an attorney and the views expressed in this presentation are based on generally accepted practices; this presentation should not be construed as legal advice.
• Circular 230 - Under IRS Circular 230, we are required to advise you that, unless otherwise expressly indicated, any tax advice contained in this communication, including attachments, is not intended or written to be used and cannot be used, for the purpose of (1) avoiding penalties that may be imposed under Internal Revenue Code, or (2) promoting, marketing or recommending to another party any tax related matters addressed herein.
On December 1, 2006
the Federal Rules of
Civil Procedure (FRCP)
was approved in an
effort to modernize and
clarify discovery rules as
they relate to
electronically stored
information (ESI).
Criminal PenaltiesCriminal Penalties
Civil PenaltiesCivil Penalties
Compliance FinesCompliance Fines
Securing, gathering, searching, and distributing electronic data for evidence for a civil or criminal case is known as electronic discovery, or eDiscovery.
Why should business Why should business leaders care?leaders care?
Compliance Example
• While the focus of the Sarbanes-Oxley Act was on public companies, §802 addresses the retention and destruction of records.
• Private companies are also expected to comply with SOX §802 when there is a “government interest” and can face fines plus up to twenty years imprisonment for knowing destruction, alteration or falsification of records with the intent to impede or influence a federal investigation.
Purpose of Retention/Destruction
Retention • Legal compliance• Litigation preparedness• Company’s reputation• Business needs
Destruction• Reduce Operational Cost• Asset protection • Privacy
Preparation is Critical
- Step #1: Digital Data Mapping
- Step #2: Risk Assessment
- Step #3: Implement Digital Data
Management Policies and System
Control Procedures
- Step #4: Litigation Hold Procedures
- Step #5: Compliance Monitoring
• Where is ESI stored and processed?•Data Flow Diagram (DFD)
• Entity Relationship Diagrams (ERD)• Upper-CASE Tools (Visio, Visible Analyst,
etc…)
•ICOR Definition (IDEF) – 0• Inputs, Constraints, Outputs, Resources
•Process Maps•Flow Charts
Digital Data Mapping
HR
Production
Accounting
Sales
Network Attached
Storage
Storage Area
Network
Near Line
Storage
Data
Warehouse
Operational
Application and Web Services
Operational
Application and Web Storage
Data
WarehouseData
Warehouse
Data Stores
Analytics
and
Reporting Services
Content
Management
Backup
Identify and document the method, location, and native file format of information created within the organization.
Risk Assessment
• Forming the Team• Types of Data• Retention Periods• Cost of Retention
Interdisciplinary Team Approach
• The Team provides an enterprise understanding of data retention through:
• Comprehensive understanding of corporate policy and procedures related to regulatory compliance.
• Elimination a fragmented responses to inquiries and discovery requests
• Optimizes response to Litigation Discovery
It’s not just about information systems
• SEC Rule 17a-4 Electronic Storage of Broker Dealer Records
• Graham-Leach-Bliley Act (GLBA)- Financial Services Modernization Act -1999
• Sarbanes – Oxley Act of 2002• FDA 21 CFR Part 11• DOD 5015.2 Department of Defense • Health Insurance Portability and Accountability Act
(HIPAA) • Fair Labor Standards Act • Occupations Safety and Health Administration (OSHA)
Act• Internal Revenue Service (IRS) Reform Act• Food and Drug Administration • Health and Human Services
Retention Rules
20,000+ statutes and regulations require retention
Retention Periods
• Don't assume that the retention requirement for all business-related information is the commonly-quoted "7 years." • There are a lot of variables depending on the industry, type of organization and type of information.
Retention Periods vary based on the specific statute or regulation
Cost of Retention
• Cost/Benefit Analysis• Costs of making data accessible for
discovery
• The organization is not obligated to retain all information created or received, unless a business or legal obligation exists for an organization to maintain information. • Retaining information beyond these
reasons could pose liability for the organization.
• Establishing the Data and Information Retention Policy• Preservation and Retention• Retention Policy• Preservation and Retention Duty
• Compliance• Litigation• Creating Your Policy – This is not an IT Problem• Document Destruction• Retention Policy and The Litigation Hold• Information Security
Implement Digital Data Management Policies and System Control Procedures
Implement Digital Data Management Policies and System Control Procedures
• Specifically delineate the organization’s electronic records maintenance, storage, and destruction schedules.
• Determine how the organization would define “good faith operation” of its information systems, if required.
• FRCP Rules 37 and 37(f) provide for sanctions and safe harbors, while FRCP 26 provides for provisions to balance the proportionality of e-discovery requests for information.
• E-mail and instant messaging are business records -- a common oversight, especially in smaller organizations that still have to comply.
• Consider MS Outlook .pst files
• Don't assume that limiting share space, size of user mailboxes, etc. will enforce retention or avoid any problems that may crop up related to it. Users will almost always adapt and find ways around your controls.
Implement Digital Data Management Policies and System Control Procedures
• Don't make the mistake of leaving current retention procedures in place (such as suspending tape or disk backup rotations) in the event of a pending investigation, audit or other litigation.
• This can lead to unwanted charges of destruction of evidence.
• Don't take a "delete everything" stance -- it's too risky and it's hard to prove you're not trying to cover something up.
Implement Digital Data Management Policies and System Control Procedures
• Don't take a "save everything" stance -- it can open up your organization to discovery risks and massive costs for storing and administering data.
• Don't assume access to archived data means you will be able to restore it within a reasonable amount of time.
• Don’t use boiler plate templates; tailor for the organization’s needs
• Involve lawyers to review, not create your policy
Implement Digital Data Management Policies and System Control Procedures
1. Purpose of the policy2. Whom is affected by the
policy3. What type of data and
electronic systems are covered
4. Identify roles and responsibilities (by position name)
5. Describe the requirements in detail - legal, compliance and business
• Outline the procedures for ensuring data is properly retained
• Outline the procedures for data disposal/destruction
• Clearly document the legal hold procedures and how to respond to discovery requests
• Build a matrix correlating data type and corresponding retention period
• Identify audit requirements and policy enforcement
• Appendices - references and glossary
• Recommended sections of the data retention policy should include:
Implement Digital Data Management Policies and System Control Procedures
Litigation Hold Procedures
• Identify all individuals responsible for receipt and processing of subpoenas (e.g., risk management departments).
• Documenting the organization’s current process to identify and communicate threatened or pending litigation.
• Documenting how information is preserved in during pending litigation.
Considerations:• Who is responsible for establishing a legal hold • How data and systems will be secured and for how long • Who must be notified • The cost and burden to preserve the data • Under what circumstances the legal hold will be lifted • How the organization expects to respond to the e-discovery
request (through an external e-discovery litigation software vendor or through internal IT systems)
• Determining how large amounts of electronic data will be accessed, manipulated, and produced in response to an e-discovery request.
Litigation Hold Procedures (continued)
• Establish internal audits or controls to measure compliance with the organization’s storage, retention, and destruction policies.
• A records management storage, retention, and destruction policy that is not followed is not only useless, it is a potential liability.
• Don't assume that just because your retention policy says that everything is destroyed after a certain period of time that it actually is – Verify!
Compliance Monitoring
Retention Engine
Data
Disposal
Relational Data
Archive Tapes
Retention Audit
Reporting and
Messaging
Paper Copy
Content Management
Retention Rules
Other
Content Management
Disposal Process
Paper Disposal Process
Messaging
Rules Engine Audit And Reporting
Retention
Source
1. Rule 26(a) says that companies must be prepared to
disclose all relevant electronic data under their
control including email, instant messages, sound
recordings, proprietary databases, etc.
2. Rule 26(f) says companies must know where and how
all ESI is stored in their systems, and the potential
recovery costs, timeframes, and alternatives.
3. Rule 37(f) provides "safe-harbor" for those
companies who are unable to provide discoverable
ESI based on "good faith" application of standard
business and IT processes.
Data Retention - Key Points
Prescription (Best practices)
1. You really
do
need an data
retention poli
cy
2. You need to
create and be
able
to demonstrate
that
you've got sec
ure
storage enviro
nment
for your ESI
3. ESI needs t
o be
searchable and
retrievable in
a
timely manner
Conclusion• A data retention policy is necessary for
meeting legal, compliance, and operational business requirements
• Data retention should be balanced based on an understanding of the requirements and the operational business requirements
• While a data retention policy may not reduce the probability of litigation, it does:• significantly reduce the probability of sanctions for
non-compliance• provide support for defending the unavailability of
certain data• reduce the cost of responding to e-discovery requests
Bill Lisse, Technology & Risk Services Manager
Phone: (937) 853-1490Email: wlisse@battellecpas.com
Recommended