1 INSIDE archiving Planning, policies and product selection Defining an CHAPTER 2 -archiving 03 What is the purpose of an -archiving policy? 04 What qualifies as acceptable use? Implement and enforce how users manage and retain their electronic messages with a comprehensive policy on archiving policy 07 management 09
2 chapter 2 Defining an -archiving policy Qby Kathryn Hilton uestionable deletions continue to grab headlines as well as the attention of courts and litigators. Because of the uncertainty that still surrounds the use of , it s absolutely necessary in today s business environment to define, implement and enforce an archiving policy. Forty-three percent of corporations have an retention policy in place, but only 12% use an archiving tool to manage retention and policy compliance, according to Osterman Research Inc., a market research firm based in Black Diamond, Wash. Many businesses still operate under the misconception that backing up their data constitutes an archive. Many also rely on the risky assumption that users correctly manage and save their own business records. Without set policies and procedures for archiving , businesses face risks and penalties that can be severe. Defining and archiving business records is one of the most important policy concerns for any company that is subject to regulatory compliance requirements and e-discovery.
3 The vast majority of information created today is sent and received in electronic format. The estimated number of non-spam messages sent worldwide on a daily basis is 25 billion, according to Ferris Research, a San Francisco-based research firm that specializes in messaging and collaborative technologies. The typical number of messages sent and received by the average business user is 600 per week, said Ferris Research. An -archiving policy can help control and manage the unending flow of information by addressing regulatory compliance, litigation readiness, productivity issues as well as general business needs. As mentioned in Chapter 1, developing an -archiving policy and a successful archiving project require a steering committee to represent all the interests of a company. The -archiving policy should be a component of an overall records management program with its own record-retention policies and procedures that dictate which s and attachments to save, how long to save them and when to delete them. In addition, an -archiving policy should reference and reinforce other corporate policies such as IT policies on acceptable use and security, HR policies relating to code of conduct, and legal policies and procedures regarding litigation hold or e-discovery. When evaluating the scope of an -archiving policy, companies should consider all users who create, send or receive messages and attachments in all regions of the world where the company does business. The policy should also include other personnel, such as contractors and consultants. It should also address transactional information, such as headers, summaries and addresses. Companies should establish policies and procedures for users that contain guidelines covering acceptable and unacceptable use of , data privacy, management, and penalties for noncompliance. sthe -archiving policy should be a component of an overall records management program with its own record-retention policies and procedures.
4 All companies should have an official IT acceptable-use policy to provide guidelines for the usage of computer equipment, network resources, applications, Internet systems and . The archiving policy should refer to the acceptableuse policy and expand upon the areas specifically related to use. Defining the terms of acceptable use offers guidelines and requirements for personal use, security concerns and confidential information: Personal Use Remind users to exercise good judgment for reasonable personal use of . Incidental or occasional personal use of for non-business purposes is generally acceptable. Users should know, however, that personal information -- such as personal financial transactions -- could be inadvertently captured in the archive. Users must understand the implications of this when using for personal purposes. Users must also be advised about business communications that are sent over personal . A 2006 survey by Osterman Research found that more than 16% of employees regularly communicate about business issues using their personal accounts. Outside of a complete ban on personal , an acceptable-use policy must encourage users to carbon-copy to their corporate account any personal containing business information. Security Concerns Caution users about security issues. Attachments, for example, may contain viruses or other potentially malicious programs. Confidential Information Provide rules for sending confidential information using tools such as encryption software. The unacceptable-use policy should give users guidelines and re-
5 quirements prohibiting the following uses of Sending unsolicited junk mail, advertising or mass mailings Using for any form of harassment, including those that contain any indecent or obscene materials Creating or forwarding chain letters or other pyramid schemes Sending with inappropriate content, including content that is discriminatory, defamatory or threatening. Discriminatory content includes references to sex, race, age, disability or religious beliefs PST Files The acceptable-use policy should also state whether users can create PST files to store messages. Some -archiving products impose quota restrictions to limit mailbox size. These restrictions often force users to create offline PST files to manage and reduce their mailbox size. On the other hand, allowing PST files could create difficulties for e-discovery search-and-collection efforts and may ultimately increase e-discovery costs if the official archive does not include all . Data Privacy Companies must monitor the data-privacy laws within all countries in which they conduct business. Employers have wide-ranging latitude to monitor and access employee that is sent or received with or without employee knowledge or consent. The -archiving policy should clearly tell employees that: They should not expect privacy when using company resources for . Any business record, including , may be subject to discovery proceedings and legal actions. Deleted usually can be recovered and then used in a legal action. Any business record, including , may be subject to discovery proceedings and legal actions. sallowing PST files could create difficulties for e- discovery searchand-collection efforts and may ultimately increase e-discovery costs if the official archive does not include all .
6 All content and no discovery? Lost in a maze of unmanageable content? Find your way out with Enterprise Vault. It s a flexible archiving framework that enables the discovery of content within , file system and collaborative environments. Reduce costs. Simplify management. Put your discovery fears behind you at BE FEARLESS. Copyright 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and Enterprise Vault are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
7 Companies should decide how to implement and enforce management. The -archiving policy must clearly state how and where records will be managed, protected and retained according to the corporate retention policy and schedule. The options generally include automated -archiving systems, manual procedures or some mix of manual and electronic systems and processes. Each option has its advantages and disadvantages. Understanding a company s corporate culture helps determine the correct options as well as the necessary amount of supervision and support. For manual procedures, include step-by-step -retention instructions for users. These instructions cover organizing, storing, maintaining, accessing and deleting . Include user training to ensure policy enforcement. Companies must remember, however, that even with education and training, relying on users to Relying on users to properly identify, manage and retain their own can drain corporate productivity. properly identify, manage and retain their own can drain corporate productivity. If users do not follow directions, the company can face considerable legal risk. Because of this risk factor, more and more companies are adopting automated products for a consistent, documented and enforceable means of managing . For an automated -archiving solution, provide an overview of the hardware and software environment, the location of the servers, the determination of whether or not a journaling or batch process is being used, and the backup or data-recovery processes that are in place for the archive. The -archiving tool can define record-retention periods for . The amount of flex-
8 ibility and number of options vary by vendor and product. The tool should document how it assigns retention periods, such as by department, key words or individual names. Available features and options can include: Automatically classifying and archiving based on content and metadata Implementing retention policies based on attachment, message, folder, age, size and keyword Avoiding the archiving of junk mail or irrelevant content Warning users about flagged items of concern Applying transparent end-user management by company, department or user An -archiving policy should explain how it handles exceptions to retention settings. For example, a user may receive an that should be retained for a long time a legal contract, for example. An -archiving policy must provide instructions on how to handle information so it is not automatically deleted during or after the standard retention period. Exceptions can be handled by electronic or manual processes. that qualifies as an exception can be electronically moved or saved in a folder on a shared server as long as the data on the server is managed according to a corporate record-retention schedule. Users may also print out s and file the paper copies. Enabling granular retention Logically combining criteria to include or exclude information Applying different retention standards for different users or folders An -archiving policy must provide instructions on how to handle information so it is not automatically deleted during or after the standard retention period.
9 To ensure compliance, provide managers and users with training and support. Users should understand what a business record is and how to use the -archiving tool to manage and access their records. Create an -archiving policy that defines the roles and of users, managers, IT staff, records management staff and the legal department in managing and enforcing the policy: Employees Distribute a copy of the policy for all employees, including contractors and consultants, to read and sign. Include an acknowledgement stating that they understand the policy and agree to comply with it. Managers Managers must ensure that they and their employees manage records in accordance with the policy. IT staff The IT department supports the -archiving tool. The IT department also sets the retention and disposition periods within the archiving tool to ensure policy compliance. Records management staff The records management staff gives and collects input on changes to the policy. The records management staff also enforces compliance and usually conducts employee and manager training as well. Legal department staff The legal department staff reviews and updates the -archiving policy.
10 Users must know that violating either legal or company policies can lead to penalties. Companies, in turn, should create an internal audit process to document and enforce compliance. Auditing Make compliance mandatory for all users and include compliance in an internal audit review. Violations and penalties Let users know that abusing policies can lead to corrective actions, including termination of employment. Review the -archiving policy annually to ensure compliance with new regulations or changes to any old regulations. Establish a procedure for documenting the changes to the -archiving policy. Include references to other related policies that require updating based on changes to the -archiving policy. Review the -archiving policy annually to ensure compliance with new regulations or changes to any old regulations. Ideally, a review committee evaluates changes and signs off on all approvals. The review committee should include representatives from the legal department, the human resources department, the records management department and the IT department. Provide an appendix that defines all relevant terms in the policy document. Definitions should include business records, retention periods, transitory records and convenience copies. is an essential business communication tool. A clear, easily understandable policy will help all employees use appropriately. Defining and archiving business records should be one of the most important policy concerns for any company that is subject to regulatory compliance requirements and e-discovery. Successful retention and archiving of has now become a differentiator in both the courtroom and the boardroom. 10
11 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and Enterprise Vault are registered trademarks of Symantec Corporation. 11
12 Additional resources from Symantec Learn more about Symantec Enterprise Vault Symantec Enterprise Vault 7.0 provides a software-based intelligent archiving platform that stores, manages and enables discovery of corporate data from systems, file server environments, instant messaging platforms and content management and collaboration systems. For a variety of white papers, case studies, testimonials and more, click here. About the author Kathryn Hilton has worked in technology for more than 20 years as an industry analyst for Gartner Group and for several large storage companies. Hilton received a bachelor of arts degree in business economics from the University of California, Santa Barbara, and a master s degree in business administration from the University of Colorado Leeds School of Business. She is currently a senior analyst for policy at Contoural Inc., a provider of business and technology consulting services that focuses on litigation readiness, compliance, information and records management, and data storage strategy. 12
Records Management Best Practices Guide A Practical Approach to Building a Comprehensive and Compliant Records Management Program Protecting and Managing the World s Information. Since 1951, Iron Mountain
Bringing Your Acceptable Use Policy Up to 2013 Standards Bringing Your Acceptable Use Policy Up to 2013 Standards Organizations of all sizes rely on their employees to be good stewards of company time,
White Paper May 2006 Applying Electronic Records Management in the Document Management Environment: An Integrated Approach Written by: Bud Porter-Roth Porter-Roth Associates Table of Contents Introduction
Managing Information for E-discovery Readiness A Docula bs Wh i te Pa pe r 2009 Doculabs, 200 West Monroe Street, Suite 2050, Chicago, IL 60606 (312) 433-7793 firstname.lastname@example.org. Reproduction in whole or
2-07-2007 1 Storage of E-mail Messages Using Microsoft Outlook Electronic mail (e-mail), created or maintained by public agencies, meets the statutory definition of a public record in Kentucky (see KRS
The Impact of Electronically Stored Information on Corporate Legal and Compliance Management White paper The impact of electronically stored information on corporate legal and compliance management: An
Electronic Discovery Without Borders Your Passport to Managing Multilanguage ESI Electronic Discovery Without Borders Your Passport to Managing Multilanguage ESI Written by Paul Brabant, Esq & Hope Haslam,
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Electronic Records Handbook Table of contents Key points to consider 3 Introduction 5 Selecting an appropriate system 7 Regulation of electronic records (erecords) 10 Patient consent and rights to access
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
Request for Proposal (RFP) for an Applicant Tracking Solution City of Durham October 2013 Table of Contents General Information 10. Date of RFP. 20. Project Manager and Contact with City; Questions about
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
A PLACE FOR ALL: A GUIDE TO CREATING AN INCLUSIVE WORKPLACE December 2006 www.chrc-ccdp.ca 1 How to reach the Canadian Human Rights Commission If you need more information about the duty to accommodate
for the Stakeholder Engagement Initiative: December 10, 2009 Contact Point Christine Campigotto Private Sector Office Policy 202-612-1623 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department
WHITE PAPER: EDISCOVERY AND LITIGATION READINESS Becoming Litigation Ready Through Proactive Information Governance OCTOBER 2008 Peter Pepiton II CA INFORMATION GOVERNANCE SOLUTIONS Table of Contents Executive
Mobile Device Security Information for IT Managers July 2012 Disclaimer: This paper is intended as a general guide only. To the extent permitted by law, the Australian Government makes no representations
Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
Symantec Enterprise Vault for Microsoft Exchange Server Store, manage, and discover critical business information Data Sheet: Archiving Trusted and proven email archiving performance and users can enjoy
The Growing Importance of E-Discovery on Your Business! An Osterman Research White Paper Published June 2008 SPONSORED BY!! Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 Phone:
Symantec Enterprise Vault for Microsoft Exchange Store, manage, and discover critical business information Data Sheet: Archiving Trusted and proven email archiving Symantec Enterprise Vault, the industry
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite