Data Retention and Destruction. By Thomas Kwok

Transcription

1 Data Retention and Destruction By Thomas Kwok July 1, 2011

2 Contents Executive Summary... ii Introduction...1 Background Information...1 Definitions...1 Data Retention...1 Data Destruction...1 Current Issues...1 Staples Business Depot...1 Testing on Used IT Equipment...2 C-Level Executives...3 Frameworks...4 ISO 15489: Information and Documentation Records Management,...4 Background...4 Scope...5 Records to be Captured...5 Length of Retention...5 Physical Storage Medium and Protection...6 Access, Retrieval and Use...7 NIST : Guideline for Media Sanitization...7 Background...7 Scope...7 Description of Sanitization Techniques and Methods...7 Deciding on a Sanitization Technique and Method...8 On-Site or Off-Site Sanitization...9 ITSG-06: Clearing and Declassifying Electronic Data Storage Devices Background Scope Data Sanitization Techniques Conclusion Appendix A: Sanitization and Disposition Decision Flow Bibliography Annotated Bibliography i

3 EXECUTIVE SUMMARY The purpose of this paper is to provide guidance to C-level executives on data retention and destruction. This paper outlines the data retention and destruction definitions, current issues, relationship to C-level executives, and frameworks. Data retention can be defined as the storing of data for a set amount of time, usually for business purposes or to meet legal requirements. Data destruction can be defined as a way of destroying data that cannot be recovered, to a certain degree of effort. Some of the current issues related to data retention and destruction include a discussion on Staples Business Depot (Staples), and Kroll Ontrack s testing of used IT equipment. The privacy commission of Canada scolded Staples for its poor retention decisions and lack of sanitization of its leased photocopiers and devices for resale. Kroll Ontrack s findings showed how organizations are unaware of proper sanitization techniques. C-level executives should learn more about data retention and destruction: to comply with laws and regulations including SOX-like standards; to avoid over-retaining data that would violate laws and regulations, such as the Personal Information Protection and Electronic Documents Act and the Data Security Standard; to properly apply data sanitization techniques to data; to maintain a good reputation with the public; and to provide efficiency to the organization. ISO is a records management framework. In terms of data retention and this paper, ISO discusses the records to be captured, length of data retention, physical storage medium and protection, and access, retrieval and use of data. NIST is a framework for data destruction. This framework describes sanitization methods and techniques, and describes the decision process to selecting a sanitization technique. ITSG-06 is another framework for data destruction. For the purpose of this paper, this framework provides additional information on sanitization techniques. Overall, C-level executives need to be more aware of data retention and destruction. ii

4 INTRODUCTION The purpose of this paper is to inform C-level executives on data retention and destruction and more specifically, its definitions, its current importance as showcased through current issues, how it affects C-level executives, and the frameworks that can be used to help organizations adopt appropriate data retention and destruction practices. BACKGROUND INFORMATION Definitions Data Retention Data retention is the storing of data for a set amount of time, usually for business purposes or to meet legal requirements. Data Destruction Data destruction can be defined as a way of destroying data that cannot be recovered, to a certain degree of effort. 1 Data destruction may be referred to as data sanitization for the purposes of this paper. Current Issues Staples Business Depot On June 21, 2011, Canada s privacy commissioner, Jennifer Stoddart, released a detailed audit report on Staples Business Depot (Staples). The report indicated that Staples had kept some personal order information from customers for longer retention periods than necessary. The report stated that under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations should only retain information for its original purpose of collection and should be disposed of shortly thereafter, unless the organization receives consent from customers to retain the information. The report recommends Staples to limit the retention period of personal information, regarding the online order forms, to a period that allows customers to review and fix any issues related to the order. Jennifer Stoddart was quoted in the report as saying, Although Staples says it will inform customers that onli ne submissions will be stored for one year, it is our Office view that this information is being retained longer 1 "Data Destruction." Bitpipe.com, Web. 30 June < Destruction.html>. 1

5 than necessary 2. The issue here is that Staples may have been violating government laws, by retaining information longer than it needed to. 3 Furthermore, the Staples audit report also mentioned Staples inability to verify the destruction of data on its leased photocopiers. Some of Staples photocopiers contain hard drives that automatically retain an image of a customer s photocopy. After a leased photocopier has reached the end of its lease period, the photocopier is returned to the appropriate supplier. In an agreement between Staples and its supplier, the supplier is responsible for wiping the hard drives before disposing, recycling or reusing the photocopier. The issue here is that Staples does not verify that the supplier has actually wiped the hard drives before disposing, recycling or reusing the photocopier. Thus, Staples did not exercise due diligence for its customers personal information when returning its leased photocopiers. 4 In addition, Staples business sells many electronic devices with storage media. The audit report stated that Staples did not properly sanitize the data on the storage media, if the products were previously returned or exchanged by customers. The report indicated that of the 149 devices tested, 54 of them still contained customer data. Thus, personal information of the original customer was being passed onto a new customer on the resale of the device. This problem exemplifies Staples lack of knowledge in proper procedures for data sanitization and data sanitization techniques. 5 Testing on Used IT Equipment A leading provider of information management, Kroll Ontrack purchased a used laptop, desktop and server to perform tests on whether it could find residual information left on the equipment. In particular, the server was owned by a U.S. corporation with offices in Sydney and the server was supposedly already wiped, as per the advertisement description for the server. In total 170GB of recoverable information was found on the three devices. Specific to the server, Kroll Ontrack identified that the server was partially wiped, but not fully. Kroll Ontrack also identified the previous owner of the server, which was a large multinational financial services company. Therefore, the issue in this case appears to be that the company reselling its server did not fully comprehend or use proper data sanitization techniques. 6 2 Roseman, Ellen. "Roseman: Why Is Staples Keeping Our Private Purchase Data?"Thestar.com. 22 June Web. 30 June < 3 "Audit Report of the Privacy Commissioner of Canada Staples Business Depot." Office of the Privacy Commissioner of Canada Web. 01 July < pub/ ar-vr/arvr_staples_2011_e.cfm>. 4 Ibid. 5 Clark, Edward. "Staples Fails to Delete Data, Report Finds." Ontrack Data Recovery. 23 June Web. 01 July < 6 Ontrack, Kroll. "Kroll Ontrack Encourages Caution for New Financial IT Deployments." CFO World. 21 June Web. 01 July < 2

6 C-Level Executives C-level executives must be aware of data retention in order to comply with government laws and regulations. In the United States, SOX has record retention requirements that companies must follow. For example, in May 2005, Morgan Stanley was ordered to pay $1.45 billion in a civil lawsuit, due in large part to failure to properly produce electronic documents 7. As well, SOX requires having proper financial records management as it helps auditors by providing adequate and sufficient audit evidence. 8 With the fallout of several companies and the SOX requirements imposed by the United States, Canada responded with its own laws and regulations. In Canada, government laws and regulations have implemented SOX-like standards in a step-by-step manner. The standards include a set of retention requirements that C-level executives in Canada would need to understand. 9 The illustration noted earlier in this paper, regarding the data held by Staples, also shows other laws that have data retention requirements. Organizations need to look out for and ensure they are in compliance PIPEDA. As well, each industry may have its own regulations over specific record retention requirements and sometimes retaining too much data can be a problem. For example, businesses in the restaurant or retail industry in particular, must be aware of and follow standards set by the Payment Card Industry. The Data Security Standard (DSS) is meant to help protect private information for customers and to prevent fraudulent behavior from happening with debit and credit cards. In one specific case, an attacker had access to a restaurant s software, which held customers credit card information. The software also held magnetic stripe information for each card, which is prohibited under the DSS. The business was liable to the data that was leaked (which leaked over a 5 year period) and thus, liable to the $1 million of fraudulent losses that resulted from improper retention of data. An executive at Visa stated that most companies that are compromised for not following the DSS end up folding in 6-12 months, after being caught. He also suggested that there is no reason for businesses to hold data for longer periods than required, as each additional day of holding confidential data is taking on additional liability. 10 Thus, this example illustrates the cost of retaining too much data, and how data destruction is also important to these companies that hold sensitive customer information. Aside from the direct financial consequences to these retention requirements, Staples, in particular, has attracted media attention to its poor habits. With this negative attention, Staples reputation 7 The Exchange Team. "Records Management: Why Do We Care?" Microsoft Exchange. 23 Aug Web. 25 June < 8 Queen, Patrick. "Records Management: A Critical Success for SOX Compliance." Sarbanes-Oxley Compliance Journal. 20 Mar Web. 26 June < 9 "The Corporate Governance Landscape in Canada." Deloitte & Touche LLP, Web. 28 June < overnance/87dd85ed081fb110vgnvcm ba42f00aRCRD.htm>. 10 Jackson, Brian. "Small Firms Must Comply with Security Standards or Be Held "liable" for Breaches." ITbusiness.ca. 13 Mar Web. 28 June < 3

7 will be harmed. By not following proper laws and regulations, organizations will face scrutiny from the public, which ultimately results in a lower bottom line. The current issues mentioned earlier in this paper, regarding data destruction, also illustrate how many companies give very little attention to data destruction. According to a study done by International Data Corporation, 60% of corporate data remains on desktops and laptops. 11 Companies need to ensure that data on these computers are properly sanitized, to avoid confidential corporate data from leaking out to possible competitors. Data destruction can also provide efficiency to a system, by eliminating duplicate data. Searching for information in a system becomes much easier. Furthermore, eliminating duplicate data frees space on a storage media. 12,13 FRAMEWORKS The following section provides a discussion of three data retention and destruction frameworks. These frameworks help provide insight on the best practices for data retention and destruction. The first framework relates to the retention of data, while the second and last framework relates to data destruction. ISO 15489: Information and Documentation Records Management 14,15 Background The International Organization for Standardization (ISO) created ISO 15489: Information and Documentation Records Management (ISO 15489) to bring attention and protection to records and to provide information on how to efficiently and effectively retrieve information from records, using standard practices and procedures. ISO is split into two parts: a general section (Part 1) and a technical section (Part 2). The general section is aimed to provide guidance to all individuals in an organization, including managers of an organization and records management professionals. The technical section is 11 Hanks Fri, Keith. "Understanding Data Destruction: What the CIO Needs to Know."CIO.com. 18 May Web. 28 June < page=1>. 12 Phillips, Paulie. "Data De-duplication Addresses Storage Headaches." Ontrack Data Recovery. 8 June Web. 01 July < 13 Button, Polly. "Data De-duplication Helps Combat Spiralling Storage Costs." Ontrack Data Recovery. 4 May Web. 01 July < 14 "Information and Documentation - Records Management - Part 1 (ISO 15489)." International Standard - ISO, Web. 23 June < 15 "Information and Documentation - Records Management - Part 2 (ISO 15489)." International Standard - ISO, Web. 23 June < 4

8 intended for just records management professionals. ISO is based on another set of standards, Australian Standards 4390: Records Management. Scope While ISO covers the broad topic of records management, the focus of this section of the paper is on data retention. Therefore, this section of the paper will only take pieces of information from Chapter 8: Design and Implementation of a Records System and Chapter 9: Records Management Processes and Controls of Part 1 and Chapter 4: Records Processes and Controls of Part 2. While Part 2 was created for records management professionals, there are still some valuable ideas and information that can be extracted from the standards and that are still understandable for non-technical users. Therefore, the following section describes key areas related to data retention noted in ISO Records to be Captured Not all records need to be captured into a records system. The records to be captured should be based on regulatory environment, business and accountability requirements and the risk of not capturing the records. Each organization will have its own unique retention requirements, depending on the type of organization and the legal and social aspect of the industry the business is in. For example, laws and regulations may demand certain data to be retained and it may be specific to a country, industry type, organization type, or product. Length of Retention Similar to the reasons to capture records, the length of retention should be determined based on the regulatory environment, business and accountability requirements, and the risks (of holding the records and of not holding the records). In analyzing and assessing these determining factors, the department or unit overseeing the specific business activity, the records manager, and others should work together to ensure the records are retained in accordance to the requirements related to the particular records and the management policies that the organization has implemented. In some cases, there will be laws and regulatory requirements to retain records for a certain time period. For example, in order to complete an audit of an organization, the organization may be required to hold records for 10 years following the date of the transaction. ISO describes a 5-step analysis on how long records should be retained for. The 5-step analysis is described below. 1. Verify legal and administrative requirements These requirements are dependent on laws and regulations in the particular jurisdiction. As described earlier in this paper, there are many issues with the legal and administrative requirements. Not following these requirements can have deep financial repercussions. 2. Understand the purpose of the records within the system There are two types of records: core records and records of multiple individual transactions. Core records can be described as the records that are used repeatedly. 5

9 Records of multiple individual transactions refer to the core records. Core records are usually kept for longer periods than records of multiple individual transactions. For example, a sick leave (ie. when an employee is sick for one day) could be considered a record of an individual transaction. The sick leave history (the number of sick leave days taken while employed at the organization) could be considered a core record. Thus, records of individual transactions (ie. all of the individual sick leave records of the employee) can create a total for the core record. Each record of individual transaction can be removed quickly after the transaction has been completed, while the core records (ie. the sick leave histories of employees) will stay in the system until the employee is no longer with the organization. Another way to distinguish a record is by the nature of the business activity for the transaction. For example, a doctor s transactional medical records of a patient may need to be kept longer than transactional records to purchase supplies. 3. Determine relationships and links with other systems The records in one system may be relying on another system. For example, system A s records may use information from system B s records. Therefore, the length of retention for system B s records may be dependent on the length of retention for system A s records. 4. Examine different uses of the records ISO suggests five different thoughts on the use of records: 1) Other stakeholders may have an interest in keeping records for a longer period than management; 2) Management will need to assess the risks with destroying the records, after internal use of the records has been completed; 3) The organization should decide on which records are necessary for business continuity purposes; 4) There may be other financial, political or social reasons to retain records; 5) The organization should determine the cost-benefit of retaining the records after the original needs of the records have been completed, where the benefits are for non-financial purposes. 5. Decide on the retention period, based on the previous steps After going through the previous four steps, the final step is to decide on the length of retention for records of similar nature. Physical Storage Medium and Protection The physical elements relating to records management systems include the storage environment, storage media, physical protective materials, handling procedures and storage systems. The decision on what environment, media and protective materials to choose can be decided based on knowing how long records will need to be kept, and for what purpose the data will be used for. The storage media chosen should ensure that the record s usability, reliability, authenticity, and perseveration are kept intact for as long as the retention period. 6

10 Handling procedures and storage systems are additional items that need to be considered for effective records management. These items can also help prevent data from being damaged, destroyed or misplaced, as in the case of a disaster. As well, handling procedures and storage systems will help protect records from unauthorized access and theft. Access, Retrieval and Use The records management system should restrict those that do not require entry into the system on a regular basis to protect the integrity of the data and meet accountability requirements. There s no use of having data in a system if you can t retrieve it. Retrieval of data should be done in a timely manner for efficiency and compliance purposes. As well, controls should be in place to protect any unauthorized use of the data, including changing, moving or destroying the data. NIST : Guideline for Media Sanitization 16 Background The National Institute of Standards and Technology (NIST) developed the NIST : Guideline for Media Sanitization (NIST ) as required through statutory law. The purpose of NIST was to develop proper methods for sanitization and disposal, to prevent unauthorized access to the information contained on specific storage media. NIST was intended to be read by anyone interested in protecting confidential information, including federal agencies, businesses and home users. Scope The focus of this section will be to provide a brief overview of the main sanitization techniques and methods, and on how to make decisions on choosing an appropriate sanitization technique and method. While NIST was meant to be read by anyone, the focus of this section will be for businesses (ie. not federal agencies in particular or home users). Description of Sanitization Techniques and Methods Before discussing different sanitization techniques and methods, one option that is not included as a sanitization method is disposal. Not all storage media needs to be sanitized. For these types of storage media, they can simply be tossed out, without any special sanitization method or other treatment. For example, regular recycling of paper is considered disposing of the media. For the purpose of this paper, a sanitization method is a broad category, made up of a set of sanitization techniques. NIST places sanitization techniques into 3 major methods: 1. Clearing 16 Kissel, Richard, Matthew Scholl, Steven Skolochenko, and Xing Li. "Guidelines for Media Sanitization." National Institute of Standards and Technology, Sept Web. 28 June < 7

11 A sanitization method that protects information on the storage media from keyboard attacks. A keyboard attack is an attempt to retrieve data through regular input devices and data scavenging tools. An example of clearing technique is having the original data overwritten by new random data. This can be accomplished by using overwriting software or hardware. 2. Purging A sanitization method that protects information on the storage media from laboratory attacks. A laboratory attack is an attempt to retrieve data through nonstandard systems. Usually, data recovery specialists would operate these systems to conduct data recovery attempts outside the storage media s regular operating environment. An example of a purging technique is degaussing. Degaussing is described as exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser uses a strong magnet or electromagnetic coil to disrupt the recorded magnetic domains. Degaussing is useful to quickly sanitize damaged storage media or storage media with large amounts of data. If a storage media has firmware on it, the storage media may become unusable after the degaussing process. 3. Destroying This sanitization method is the physical destruction of storage media. The physical destruction of storage media makes the storage media unusable. NIST splits the physical destruction methods into two main classifications: 1) disintegration, incineration, pulverization, and melting; and 2) shredding. The first classification should completely destroy the storage media either by completely changing the form of the storage media or by making the storage media into powder (or particle) form. The second classification merely disaggregates the storage media into smaller portions. Shredding, therefore, can leave some data intact. The idea is that the pieces should be small enough that information on the storage media cannot be reconstructed. Thus, the distinction between the first classification and s econd classification is that the first classification does a more thorough job of destroying the data on the storage media. Deciding on a Sanitization Technique and Method Before deciding on a sanitization method, an organization would need to decide whether sanitization is even needed (which can be based on the confidentiality of the information on the storage media), and if it is, when to sanitize the data (which can be based on the retention period of records discussion noted in ISO 15489). In deciding on which sanitization method to use, NIST suggests basing the decision first on the confidentiality of the information. Less confidential information on the storage media means that a 8

12 weaker sanitization method can be used. In general, the order of strength of the sanitization methods, from weakest to strongest is: clearing, purging and destroying. Then, the organization must consider whether they plan on reusing the storage media (or similarly, plan on giving it to another organization for reuse). This decision may be made as it helps save organizations money or acts as a sale to another organization. If they do plan on reusing the storage media, they may not need to apply such a strong sanitization method. Another consideration is whether the storage media will leave the organization s control and who has access to the storage media. Storage media is generally considered under the organization s control when the storage media needs to be maintained and there are agreements in place with a maintenance provider (ie. a person or organization that helps sanitize data) to keep information on the storage media confidential, while sanitizing the data. Storage media can also be considered under the organization s control when the sanitization is being conducted by the organization or maintenance provider at the organization s site. If the sanitization is being conducted by the maintenance provider, the sanitization process must be supervised by the organization. On the other hand, storage media may not be under organization control when the storage media is being exchanged due to warranty, cost rebate or for other reasons. If the organization is not returned a particular storage media, then it will not be under the organization s control. If the storage media leaves the organization s control, then a stronger sanitization method will need to be considered when compared to a storage media staying within the organization s control. Appendix A illustrates the decision process of first, basing the decision on the confidentiality of the data (ie. low confidential information means low security required), then if applicable, questioning if the storage media will be reused, and finally, questioning if the storage media will be leaving the organization s control. At the end of the sanitization process, a sample of the storage media should be verified for sanitization and afterwards, documented. Note that this appendix is for guidance only and may not represent the most appropriate sanitization method. Table A-1: Media Sanitization Decision Matrix in NIST provides a long list of recommendations of the specific sanitization techniques that could be chosen to sanitize data on a particular storage media, after coming to a conclusion on which sanitization method to use. A cost-benefit analysis should be conducted to assess whether performing a particular sanitization technique is necessary. On-Site or Off-Site Sanitization Environmental factors should also be considered in the sanitization process. For ex ample, while not explicitly mentioned in NIST , the organization must ask itself, Should we sanitize the data onsite or off-site? The assumption here is that the sanitization will be done by a third party (either on-site or off-site). While generally more expensive, there are several advantages to having data sanitized on-site. First, liability is minimized as the storage media is not transferred from one location to another. In the transfer of the storage media from one location to another, there is a chance to lose the storage media or 9

13 have the storage media stolen. Second, on-site sanitization usually means that the organization will be able to physically see the storage media being sanitized. Depending on the sanitization method, this can be a form of verification that the storage media is actually sanitized. Third, even though agreements will be signed to maintain confidentiality of the information on the storage media, anytime confidential information is sent to a third party, there is the possibility that they will use access and ues the confidential information contained on the storage media. Thus, on-site sanitization can prevent third parties from accessing the storage media. 17 ITSG-06: Clearing and Declassifying Electronic Data Storage Devices 18 Background The Communications Security Establishment Canada created ITSG-06: Clearing and Declassifying Electronic Data Storage Devices (ITSG-06) under The Information Technology Security Guide (ITSG) to help provide guidance to government IT authorities. Specifically, ITSG-06 describes methods to prepare storage media for declassification (which is equivalent to sanitization in NIST ), reuse and disposal. Scope This section of the paper is meant to be read in conjunction with the NIST section. That is, information in this section will rely on or relate to NIST This section of the paper will provide additional information on data sanitization techniques, while contrasting differences with NIST Since ITSG-06 is meant to be used by government IT authorities, some of the guidance in ITSG-06 is very specific. This section will only provide a broad overview of the data sanitization techniques in order to relate to businesses. Data Sanitization Techniques ITSG-06 has 9 different sanitization techniques. Degaussing was described earlier as a technique under purging methods. ITSG-06 describes degaussing similarly to NIST degaussing definition. Shredding and disintegration, grinding and hammer-milling, and incineration were described earlier (using different terms) as techniques under destroying methods. ITSG-06 describes these techniques similarly to NIST s definitions. The materiel/molecular separation by high-speed centrifuge technique was mentioned but not thoroughly analyzed in ITSG-06; thus, this technique will not 17 Tillman, Don. "On-Site Data Destruction of Magnetic Data Following U.S. Standards."StorageNewsletter.com. 4 Feb Web. 29 June < 18 "Clearing and Declassifying Electronic Data Storage Devices." Communications Security Establishment of Canada, July Web. 27 June < 10

14 be discussed. Therefore, there are 4 remaining techniques to be discussed in relation to NIST The following techniques were either not specifically discussed in NIST or contain some differences to NIST : 1. Encryption While encryption is not usually seen as a sanitization technique, encrypting an entire storage media can be considered as a clearing method. More specifically, encrypting the entire storage media can be seen as changing the storage media s data into a defined unreadable form. The effectiveness of encryption is dependent on the strength of the cryptographic protection scheme and the management of the encryption key. 2. Overwriting Overwriting is a similar process to the one described in the NIST section, under the clearing method. However, ITSG-06 describes overwriting more specifically as writing 1 s and 0 s over all bits in the storage media. ITSG-06 also describes a process called Triple Overwrite. This process starts by writing over all the bits on the storage media with either all 1 s or all 0 s; then, write over all the bits on the storage media with the complement, or opposite number, to the first write; and finally, using a pseudorandom number generator, write over all the bits on the storage media with 1 s and 0 s so the pattern can be tracked by the user. 3. Physical Deformation Tools such as a sledge hammer, nail gun and vice can be used to physically deform a storage media. Using these tools can be considered under the destroying method. The purpose of using these particular types of tools is only for emergency situations. It is meant to slow, stop or discourage an attacker from trying to obtain data from the storage media. 4. Knurling Using a special machine, pressure and heat are applied to optical disks. This can be considered as a destroying method. Knurling stretches and curls the optical disks, effectively destroying the data on the storage media. CONCLUSION C-level executives need to be more aware of data retention and destruction. Current issues related to Staples and the used IT equipment exemplifies the problems that organizations may face. There are many laws and regulations that C-level executives need to consider for their companies data retention and destruction practices. There s also a delicate balance between the retention and destruction of data. Organizations must retain enough data to comply with laws and regulations, but must beware of retaining too much data where they face legal liabilities. The frameworks in this paper provide an overview of data retention and destruction. For this paper specifically, IS O describes the retention- 11

15 related aspects that C-level executives should understand. This includes discussion on the length of retention of data. NIST and ITSG-06 offer sanitization methods and techniques that C-level executives should be aware of in the data destruction process. As well, the discussion on NIST can help a C-level executive choose a sanitization method based on a few factors including the level of confidentiality of the data. This will ensure that data is properly sanitized and will help prevent issues from arising due to poor data retention and destruction practices. 12

16 APPENDIX A: SANITIZATION AND DISPOSITION DECISION FLOW Source: 13

17 BIBLIOGRAPHY "Audit Report of the Privacy Commissioner of Canada Staples Business Depot." Office of the Privacy Commissioner of Canada Web. 01 July < pub/ arvr/ar-vr_staples_2011_e.cfm>. "Clearing and Declassifying Electronic Data Storage Devices." Communications Security Establishment of Canada, July Web. 27 June < "Data Destruction." Bitpipe.com, Web. 30 June < Destruction.html>. "Information and Documentation - Records Management - Part 1 (ISO 15489)." International Standard - ISO, Web. 23 June < "Information and Documentation - Records Management - Part 2 (ISO 15489)." International Standard - ISO, Web. 23 June < "The Corporate Governance Landscape in Canada." Deloitte & Touche LLP, Web. 28 June < CM100000ba42f00aRCRD.htm>. Button, Polly. "Data De-duplication Helps Combat Spiralling Storage Costs." Ontrack Data Recovery. 4 May Web. 01 July < Clark, Edward. "Staples Fails to Delete Data, Report Finds." Ontrack Data Recovery. 23 June Web. 01 July < Hanks Fri, Keith. "Understanding Data Destruction: What the CIO Needs to Know."CIO.com. 18 May Web. 28 June < Know.?page=1>. Jackson, Brian. "Small Firms Must Comply with Security Standards or Be Held "liable" for Breaches." ITbusiness.ca. 13 Mar Web. 28 June < Kissel, Richard, Matthew Scholl, Steven Skolochenko, and Xing Li. "Guidelines for Media Sanitization." National Institute of Standards and Technology, Sept Web. 28 June < Ontrack, Kroll. "Kroll Ontrack Encourages Caution for New Financial IT Deployments." CFO World. 21 June Web. 01 July < Phillips, Paulie. "Data De-duplication Addresses Storage Headaches." Ontrack Data Recovery. 8 June Web. 01 July < 14

18 Queen, Patrick. "Records Management: A Critical Success for SOX Compliance." Sarbanes-Oxley Compliance Journal. 20 Mar Web. 26 June < Roseman, Ellen. "Roseman: Why Is Staples Keeping Our Private Purchase Data?"Thestar.com. 22 June Web. 30 June < The Exchange Team. "Records Management: Why Do We Care?" Microsoft Exchange. 23 Aug Web. 25 June < Tillman, Don. "On-Site Data Destruction of Magnetic Data Following U.S. Standards."StorageNewsletter.com. 4 Feb Web. 29 June < 15

19 ANNOTATED BIBLIOGRAPHY Author Title of Article Periodical/ Smith, Julian Zbogar Records Management: Why Do We Care? TechNet Blogs N/A 2006 N/A May 28, 2011 The Microsoft Exchange Team Blog At a broad level, records management is defined as the way in which an organization deals with their stored information. This includes the development of a system that will manage what type of information is kept, the controls with regards to the accessibility of the information and how users can increase their productivity by having simplified ways to access the information quickly. There are also laws and regulations that exist to govern records management. While this topic existed many years ago, there have been significant changes in the past decade that triggered discussion on this topic. The following are some changes; - There is a growing amount of data, much more than there used to be - It has become more expense to manage records, not because of the storage costs (in fact, storage costs has decreased), but because legal penalties for mismanaging information has significantly increased - New laws, such as SOX, and court judgements made individuals more liable for mistakes and negligence in records management Author Title of Article Periodical/ Queen, Patrick Records Management: A Critical Success for SOX Compliance Sarbanes Oxley : Technology : Records Management N/A 2009 N/A May 28, 2011 Sarbanes-Oxley Compliance Journal While SOX has been evolving over the past few years, records management compliance has become a critical success factor in controlling business processes, providing accurate financial reporting and reliable audit findings. To comply with SOX, public companies have to document, test and assess their internal control procedures. This includes having adequate financial records management because this process supports t he accuracy of financial transactions. To meet the compliance requirements today, an organization should: - Be compliant with SOX audits, which means that the company should conduct self-audits and also have solutions that are auditable - Ensure that records management process includes both paper documents and electronic documents 16

20 - Have proper version control where the company formally agrees on how to manage draft versions of documents and these decisions should be incorporated into the records management policies - The document lifecycle process must include a formal litigation hold process this means that the records destruction process must stop for related records when notified of legal action as well as any anticipated foreseeable legal action - Working disaster recovery plans - Ensure that financial records are retained for the specified period of time, recognizing that there are requirements beyond S OX such as other state regulations and laws. It is also important that the companies can locate the data when requested by the regulatory bodies - Ensure that electronic records management is included in the formal compliance strategy since companies now heavily rely on electronic data and documents As technology and laws continue to evolve, those companies that have effective records management will be better equipped to maintain data to better support their business operations and be compliant with the regulatory bodies. Author Title of Article Periodical/ Data Capture Solutions Ltd. ISO the essentials N/A N/A 2005 N/A May 28, 2011 Google This article contains the essential components that are described in ISO (Information and documentation records management), which are global standards that provide guidance to companies to effectively create, manage, and store records, acknowledgi ng that each business has very unique demands and challenges for its records. The standards provide for a framework of best practices to follow and adapt for each company. Adopting ISO will allow companies to demonstrate an approach to records management that is recognized around the world and adds confidence to dealing with global business partners and clients. The standard is split into two parts part I provides a general overview and examines the principles and methodologies for adoption; part II provides more practical approaches that organizations can use as the basis of their system development. The reason that we need proper records management is because records are valuable assets to a business that requires protecti on and preservation. These records need to be retained to support business processes and functions and thus, these records need to be accurate and authentic. Proper record keeping will also help with retaining only essential information to increase efficiency of the business processes, which will improve the competitiveness of the business. A critical step in the framework is to investigate the company s current recordkeeping methods, and what type of information is retained from the business processes. This analysis of the currently process will help identify the strengths and weaknesses of the system. It is also essential to assess the regulatory and legal record-keeping obligations that the company has to meet. To implement successfully, it is important to gain top management support and proper allocation of resources. The first step is preliminary planning, which will help gain this support. The next step is to analyze the business activity and see where records management fits into the business processes. With this information, the company should clarify its requirements with and define what it truly needs from the new records management system. With the company s perceived requirements, the company can now identify the gap between the existing system and such requirements. The next step would be to form a written policy that will eventually be distributed to the company s employees that described the 17

21 standards that the company wishes to achieve and maintain. The company can now convert the policy into an actual plan and then actually implement the plan. It is important to fully document the system, adequately train the staff to use it, and also continuously monitor the system. Note: Although this article was written in 2005, more than 5 years from the current year, this article is essential because i t contains the concepts included in the ISO global standards written in 2001, providing guidance to records management. Author Title of Article Periodical/ Vednere, Ganesh Records management and privacy: Conflict or convergence? SC Magazine N/A 2009 N/A May 28, 2011 SC Magazine Managing privacy used to be simple - it could be done by securing firewalls, having strong passwords and through encryption. However, with so much data being digitized today, data sets are available in more than one repository online, and thus, these simpl e controls would not suffice. Therefore, organizations established formal information security and privacy teams to secure data, prevent unauthorized acces s and use of the database. While records management focuses on the ease of accessibility of records and privacy focuses on preventing unauthorized access of information, the two concepts actually converge. The key principles of records management and privacy overlap: reliability, i ntegrity of information and guaranteeing authenticity. Therefore, it is important for record managers to understand privacy and add value in areas such as policies, procedures and controls of the company. Also, it is important for organizations to manage these programs together to promote joint collaboration. The following are some areas where if managed properly, privacy and records management can benefit: - Records inventory: A robust records inventory kept by the records management team adds significant value to the privacy program because the privacy team can simply take the record list and mark the records that contain personal identifiable information. - Records retention: Record managers can work closely with the business and privacy offices to develop the appropriate time of retention so that the company meets the legal retention requirement and also solve conflicts if the privacy office does not agree with the term of retention. - Storage: The records management and privacy team can work together to ensure the proper storage of data to ensure security, i ntegrity, reliability and prevent unauthorized access. - Transmission: While this is not a requirement for records management, privacy policies require secure transmission of data, which will benefit record managers. - Disposal: Records management policies should include procedures to dispose of information. Privacy teams can benefit from this as privacy laws require companies to properly dispose personal identifiable information. - Governance and operational management: Both privacy programs and records management teams can benefit from each other. For example, the records management team can benefit from the privacy team s speciality in responding to data loss or breach. 18

22 Author Title of Article Periodical/ Choudhury, Amit Roy New Tech Reshaping Record Keeping The Business Times (Business Times Singapore) N/A 2011 N/A May 28, 2011 Factivia SQL View, a Singapore-based electronic records management company, believes that with the convergence of cloud computing and social networking, there will be greater ease in retrieval and creation of records. The company was recently given a grant by Spring and International Enterprises to continue to develop the company s artificial intelligence-based data mining and classification tool. The product the company is trying to produce is called KRIS Intelligent Filer (KIF), which is a classification software that pushes information to the user by extracting patterns from the data. The data would be classified into relevance, longevity, privilege access and security. When a specific user performs a search, only the records that tied to the user s pre-ordained behaviour classification will be displayed. This means that only deemed relevant records will be pushed to the user, rather than every record that relates to the search. SQL View was the first company to introduce electronic records management in Asia. About half of the government offices elec tronic records solutions are powered by this company. For example, the Central Provident Fund in Singapore implemented an e-registry system with the company which enables information to be retrieved quickly and securely SQL View has been an innovative leader in Asia for providing record keeping solutions. Author Title of Article Periodical/ Warner, Diana Managing and Maintaining Electronic Content May Be Tricky, But Critical Journal of Health Care Compliance N/A 2010 N/A May 28, 2011 Business Source Complete Enterprise content and records management (ECRM) is a set of strategies, processes, and technologies that are used to manage any and all types of business data and records. ECRM can help keep track of all sorts of different document or record types. In addition, ECRMs can be valuable by providing the location and use of data/information effectively. For instance, individuals looking for information will be able to timely retrieve that information, and access to the information can be based on each individual s role. Each role can have different levels of access to the information. ECRMs also help meet regulation and organizational requirements for the lifecycle of the records. Components of the records lifecycle include: - The process of creating, editing, capturing or receiving information - Maintaining the records to be easily accessible and retrievable, ie. efficient for indexing, searching, processing, retrieving and disposal - Auditing the records throughout the lifecycle, to ensure amounts balance and processes are being followed properly 19