Four Tips for Crafting a Document Retention Policy

CIOs share strategies for creating a document retention policy

By
Fri, May 23, 2008

CIO — The 2002 Sarbanes-Oxley regulations served as a wake-up call for CIOs to formalize document retention policies to meet compliance requirements. But regulatory demands—and the number of documents produced daily—continue to grow. So a solid document management process is a necessity. CIOs struggle with creating the policies, getting buy-in from the end users and managing the technology. Members of the CIO Executive Council, who meet regularly to discuss compliance approaches, share techniques that have made document retention policies work for them.

Get the Policy Right

The first step is making sure that the right items are covered in your document management policies. For this, CIOs can rely on business peers, outside counsel and special regulatory tool kits.

Tips for Crafting A Policy That Works

Offered by Ron Bonig of George Washington University, and Rajiv Jain of American Greetings Interactive

  • Properly define "document" to include information of all types—electronic or paper, historical or transient business record.
  • Clearly state who and what function is the relevant retention authority for the most widely used categories of documents.
  • Indicate the specific duration of retaining different types of documents.
  • Identify specific staff or functions that have appropriate read, write and edit access.
  • Clearly state the reasons that retention is necessary (e.g. Sarbanes-Oxley rules, HIPAA regulations). As those requirements change, the rationale for retention should be reviewed, and any changes to the retention period should be made.
  • State that if a file or folder contains multiple types of documents necessary for a coherent record, then the whole file or folder must be retained for the duration of the longest-held item.
  • Except when absolutely necessary, do not allow (or at least strongly discourage) the mixing of digital documents in storage. If document A needs to be retained for five years and document B needs to be retained for 20 years, keep them separate. You will reduce the cost of long-term storage and will avoid legal risks inherent in a failure to follow retention policies.
  • Give individual divisions or offices the authority to set retention policies for their own operational documents if approved by or coordinated with the General Counsel or Compliance Office.

    -C.M.

    • "Initiating a high-level review of our document retention policies had to be a joint effort between myself and the general counsel. If we weren't both involved, I don't know how the effort could succeed," says George Washington University CIO Ron Bonig. For instance, GWU receives subpoenas and e-discovery requests around contracting and personnel questions. To ensure colleagues' participation and buy-in, Bonig stresses the fiscal importance of good policies and compliance. "The cost to the university in a federal lawsuit could be huge if we don't properly address retention," he says. "I put it in dollars, which really woke people up."

    Continue Reading

    White Papers »
    Identity Governance: The Business Imperatives
    This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make to help achieve project success.
    CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
    This paper explores the concept of content-aware IAM, describes the integrated architecture for this new approach, and highlights the benefits that this approach provides.
    Aberdeen Analyst Insight: Does Your Enterprise Have a Dropbox Problem?
    Without policies, awareness and supported alternatives for sharing files securely, end-users will often overlook security and compliance in favor of getting the job done. Read this whitepaper to determine if your enterprise has a "Dropbox Problem" and ways successful organizations address this problem.
    Google: Security for Google Apps Messaging & Collaboration
    Content provided by Google

    Find out about how Google creates a security-based platform for Google Apps, covering topics like information security, physical security, and operational security.
    Architecting the Security of the Next-Generation Data Center
    This document is aimed at those looking at data center builds, upgrades, or consolidation. It provides an introduction to some of the new security challenges of such environments and provides recommendations for implementing security in next-generation data centers.
    Who Owns Security in the Data Center?
    This editorial brief addresses the disconnect between security and operations teams and the need for IT operations teams to address security and risk management.
    Webcasts »
    Gartner Next Generation Network IPS Webcast
    Learn how Gartner's criteria for next generation IPS helps organizations achieve effective threat prevention despite changes in network communications, new applications, and changes in the threat landscape.
    McAfee Continuous Compliance
    3 minute Flash video - overview of the need for and value of Configuration Control.
    Taming the Wild West: How to build a strong cloud security strategy
    Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."
    Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
    Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn about VMware customer, Navicure, and their experiences testing and evaluating the recovery manager, their progress in implementing it in their environment and their advice other customers considering using vCenter.
    Quantifying the Business Value of VMware View - Webcast
    Many enterprises have discovered that the use of virtualization to support desktop workloads creates a range of significant benefits. These benefits include price efficiencies, improved IT management and greater agility and choice for end users.

    This VMware sponsored webcast with IDC will provide both quantitative measurement of the business value -- defined as the expected ROI -- and qualitative analysis associated with the use of VMware View™. IDC will also provide an analysis of the View Composer and ThinApp™ features of VMware View, including the business value of these solutions and an overview of how they work.

    Attend this webcast to learn about:
    - Challenges and barriers that might impede the adoption of desktop virtualization
    - Navigating roadblocks to facilitate a strategic implementation
    - Optimizing qualitative and quantitative benefits to IT and your business
    Deliver Private Cloud Database as a Service with VMware vFabric Data Director
    VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.
    Newsletter Sign-Up »

    Receive the latest news test, reviews and trends on your favorite technology topics

    Choose a newsletter
    11. View all Newsletters | Privacy Policy
    White Papers » All White Papers

    Identity Governance: The Business Imperatives

    CA Technology Brief: CA Point of View: Content Aware Identity & Access Management

    Aberdeen Analyst Insight: Does Your Enterprise Have a Dropbox Problem?

    Google: Security for Google Apps Messaging & Collaboration

    Architecting the Security of the Next-Generation Data Center

    Who Owns Security in the Data Center?

    Virtual Patching with Network Security

    Gartner Next Generation Network IPS Research Note

    Top Ten Security Topics

    The New Reality of Stealth Crimeware (McAfee Labs)

    2012 Threat Predictions Report (McAfee Labs)

    McAfee Security Connected - Mitigates Risk, Maximizes Business Efficiency

    Think Your AntiVirus Software is Working? Think Again

    Reducing Local Admin Exposure Through Application Whitelisting

    Unruly USB Devices Expose Networks to Malware

    The CISOs Guide to Measuring IT Security

    Why Free Patch Management Tools Could Cost You More

    From the Frontline - Preventing APT

    Protecting Point of Sale Systems from Targeted Attack

    Stop Hackers Before They Attack
    Resource Center
    buy a link »
    Ads by TechWords