Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
We invite you to send your information systems audit, control and security questions to:
HelpSource Q&AISACA Journal3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAEmail: email@example.com
The way we manage and retain records in our organisation—a nascent business process outsourcing service provider—is chaotic, to say the least. We do not have a defined records retention policy. We were in big trouble recently when we were asked by a client to produce documentation and we were unable to do so. Given the lack of such retention standards and policies, staff members who process data adopt their own standards based on their convenience rather than business need.
Please share your thoughts on how we must handle this records retention issue, given the potential legal and regulatory implications.
Organisations that do not have proper records retention policies, in particular those that process information on behalf of their clients, have landed in trouble for violating all sorts of requirements, including legal, regulatory and contractual. So your organisation is not alone, as a lot of other entities are in the same sorry state.
Electronically stored information (ESI) can be subpoenaed and used as potential evidence both for and against your organisation if your company were to be dragged into a lawsuit. The toxic litigious environment that businesses operate in today, combined with the various regulatory and legal changes that have swept in during recent years, have changed the rules of the game with respect to archiving and retention of e-mails.
Unlike in the past, most communications today take place via e-mail and instant messenger systems. Some organisations use FTP-, or equivalent, based systems to interchange files containing data. So regardless of the size, complexity, geographical spread, industry in which the organisation operates, or status in terms of public or private company, lack of retention policies and standards can lead to havoc.
One of the key first steps is for organisations to have a records retention policy/standard (I am using ‘policy’ and ‘standard’ interchangeably in this article for the sake of convenience), and such policies/standards must be widely communicated to and understood by all employees who deal with information. The first and foremost component of such a policy is to have the term ‘business records’ defined specific to the organisation, as there is no universal definition available that can be applied to all organisations. Every company must have its own definition of business records clearly explained.
According to Nancy Flynn, in her famous treatise The E-Policy Handbook, ‘a business record is a document (electronic or paper) that provides evidence of business-related activities, events, transactions, negotiations, purchases, sales, hiring, firing and so on’. At the same time, she goes on to add that ‘not every message that enters or leaves your organisation is a business record and not every electronic conversation you conduct rises to the level of a business record’.
For example, amendments made to the US Federal Rules of Civil Procedure (FRCP), which govern the discovery of electronically stored information, include the following:
The following is a list of things to do. As always, you must deem this a general list and seek appropriate legal advice to formulate a policy that is relevant to your organisation.
Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCPis the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.