Data retention policies and procedures for SMBs

Part of the problem is that there's so much ambiguity in regards to data retention. It's one thing for large enterprises to have in-house legal counsel and dedicated compliance managers. However, most people don't have that luxury in the SMB environment. Storage managers don't know where to start, and their lawyers are often not very helpful because they're not aware of the latest data retention requirements. If you've fallen into this legal and regulatory black hole, you're not alone. To keep your business out of potential hot water and stay on the good side of your regulators and auditors, here are some key data retention principles you do not want to overlook:

• Know what data you have and where it's located on your network, standalone systems and storage devices. This is where most organizations fall short. Business managers and even storage administrators often have no clue to how much intellectual property and sensitive customer information they have stored in every nook and cranny of their networks. There are tools that can help with this from vendors such as Kazeon Systems Inc. and StoredIQ. However, if you don't need the all-out e-discovery benefits of those tools you can use data search tools. For finding personal data, use Identity Finder, and for finding intellectual property, use FileLocator Remote.
• Work with your lawyer to determine what's required for your type of business and for the type of data you store. It may be safe to assume that anything electronic, such as emails, instant messages, documents, spreadsheets, etc. is a business record. However, the variables depend on the industry, type of organization, type of data and any applicable regulations you're up against.
• Document your data retention policy and make sure everyone, from managers to janitors, knows about it. A good policy will outline exactly what's done and what's expected. Here's a proven security policy template you ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchSMBStorage.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchSMBStorage.com

  As an existing member of the TechTarget network please activate your SearchSMBStorage.com account 

  By joining SearchSMBStorage.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT SMB storage tips Top five disaster recovery (DR) and business continuity tips for SMBs in 2009 VMware vSphere vs. VMware Consolidated Backup (VCB) Cloud, disk or tape: Choosing the right data backup and recovery method for SMBs New data protection schemes impact RAID rebuild times Low-cost data storage replication options for SMBs Data migration strategies and best practices Five must-have data storage security tools for smaller businesses Data reduction strategies for SMBs Data migration strategies for multivendor storage systems Optimizing RAID data storage for your business Small-midsized Business Data Storage Management Multiprotocol arrays for better SMB storage management Multiprotocol and unified data storage tutorial for SMBs New data protection schemes impact RAID rebuild times Data migration tools take SMBs to the next tier: Data migration and tiered storage tutorial Data migration strategies and best practices Electronic discovery best practices for SMBs SMB data storage news briefs: Vocalocity offers online storage and data backup services to SMBs Five must-have data storage security tools for smaller businesses Data migration strategies for multivendor storage systems Optimizing RAID data storage for your business Small-midsized Business Data Storage Strategy Server virtualization pushing SMBs towards SANs; iSCSI-based SANs help them stay afloat VMware vSphere vs. VMware Consolidated Backup (VCB) Multiprotocol arrays for better SMB storage management New data protection schemes impact RAID rebuild times What type of server would have the capacity to service an SMB office of 50 people, and how would I back up that server? SMB data storage briefs: Thecus Tech Corp. launches new NAS server, the N8800PRO Data migration tools take SMBs to the next tier: Data migration and tiered storage tutorial Data migration strategies and best practices Electronic discovery best practices for SMBs SMB data storage news briefs: Vocalocity offers online storage and data backup services to SMBs

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  can use to get rolling.

• Be careful of what you delete and when you delete it. Also, be careful of what you save and how long you save it. Taking a "delete everything" stance can be risky and may make it difficult to prove you're not trying to cover something up if you get an electronic discovery request. On the other hand, a "save everything" stance may not be healthy either. Not all data is equal. Saving everything can certainly help ensure that you've covered all your bases, but it can open up your organization to discovery risks, and perhaps worst of all, massive expenditures storing and administering everything long term.
• Ensure that the business is not simply relying on its employees to enforce your data retention policy. Employees and network users are not reliable for ensuring that policies are enforced. Put the right processes and technical controls in place with your backup systems and storage management applications to make this as transparent as possible. This will vary based on your environment, but this is where you put your data retention policy into action. For example, you could set retention schedules for your tapes within your backup software, or even create a file purging script to dump emails, files, etc. after a certain time period. Even with the right awareness, processes and controls in place, certain data will get deleted prematurely or hang around too long. This is part of the retention nightmare for SMBs, and something that can be molded and fine-tuned over time. After six months or so, perform an audit to see how things are working, what's being overlooked, what's being left out, and continually revisit this on an annual basis.

Keep in mind, just because you retain business data doesn't mean it's going to be easily accessible or even accessible at all. You might have to meet the demands of a discovery request or a business partner's auditor pretty quickly. A solid set of procedures and technical controls, including testing the integrity of your backups, can help with those demands. Furthermore, if your live or retained data is encrypted, you will need to access to the passphrases and/or encryption keys so they can be considered as well. You could easily find yourself in a data breach situation that state laws cover. If you can't access the encrypted data or otherwise prove it was encrypted, your business could be in a world of hurt. When it comes to data retention, it's not just compliance that matters. Data retention also deals with other issues related to HR, business partners, lawsuits and so forth. This is a highly complex area -- even for SMBs. If there's ever been a situation where SMBs need to operate like large enterprises, it's with data retention. It will behoove you and your business to learn more about this subject and what is required of you. If your attorney doesn't know the ins and outs of data retention, find another one who does.

About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.