HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q The way we manage and retain records in our organisation—a nascent business process outsourcing service provider—is chaotic, to say the least. We do not have a defined records retention policy. We were in big trouble recently when we were asked by a client to produce documentation and we were unable to do so. Given the lack of such retention standards and policies, staff members who process data adopt their own standards based on their convenience rather than business need.

Please share your thoughts on how we must handle this records retention issue, given the potential legal and regulatory implications.

A Organisations that do not have proper records retention policies, in particular those that process information on behalf of their clients, have landed in trouble for violating all sorts of requirements, including legal, regulatory and contractual. So your organisation is not alone, as a lot of other entities are in the same sorry state.

Electronically stored information (ESI) can be subpoenaed and used as potential evidence both for and against your organisation if your company were to be dragged into a lawsuit. The toxic litigious environment that businesses operate in today, combined with the various regulatory and legal changes that have swept in during recent years, have changed the rules of the game with respect to archiving and retention of e-mails.

Unlike in the past, most communications today take place via e-mail and instant messenger systems. Some organisations use FTP-, or equivalent, based systems to interchange files containing data. So regardless of the size, complexity, geographical spread, industry in which the organisation operates, or status in terms of public or private company, lack of retention policies and standards can lead to havoc.

One of the key first steps is for organisations to have a records retention policy/standard (I am using ‘policy’ and ‘standard’ interchangeably in this article for the sake of convenience), and such policies/standards must be widely communicated to and understood by all employees who deal with information. The first and foremost component of such a policy is to have the term ‘business records’ defined specific to the organisation, as there is no universal definition available that can be applied to all organisations. Every company must have its own definition of business records clearly explained.

According to Nancy Flynn, in her famous treatise The E-Policy Handbook, ‘a business record is a document (electronic or paper) that provides evidence of business-related activities, events, transactions, negotiations, purchases, sales, hiring, firing and so on’. At the same time, she goes on to add that ‘not every message that enters or leaves your organisation is a business record and not every electronic conversation you conduct rises to the level of a business record’.

For example, amendments made to the US Federal Rules of Civil Procedure (FRCP), which govern the discovery of electronically stored information, include the following:

  • Within the federal court system and courts in some states, ESI is discoverable. In other words, information retained and archived by a company, whether business records or not, can be subpoenaed in cases of litigations against the company.
  • An organisation need not retain all e-mail records, and even those that require retention need not be retained forever. As part of the business’s normal operations and based on appropriate advice that the company receives from its attorney or legal counsel, the company is entitled to delete any information stored electronically, as long as the information no longer serves any business purpose and has reached the end of its life. The organisation must ensure, hopefully via legal counsel, that such purged information is no longer required to meet any of the regulatory, compliance or legal requirement, or business obligations. The information selected for purging must also not be related to any ongoing litigations or potential/anticipated lawsuits.
  • US courts expect organisations that operate within the US and any outsourced vendors that process information on the organisations’ behalf, regardless of their geographic location, to manage ESI in a manner that facilitates the production of information required, in a timely fashion, completely in full and not in parts.
  • The adoption of a consistent approach with respect to retention and deletion of information will enable the organisation to win the trust of the courts. It is essential to have defined policies and standards, if the duration for retention and choice for deletions were to be consistent across the organisation. Should there be any accusations of illegal deletion of records or records tampering, the organisation can fight such claims and prove its innocence if it has well-defined standards.

The following is a list of things to do. As always, you must deem this a general list and seek appropriate legal advice to formulate a policy that is relevant to your organisation.

  • Define the term ‘business records’ in the context of your organisation. It can be a generic definition applicable across the organisation universally, or you can have multiple definitions with each of them applicable to different parts of the organisation.
  • Seek legal advice and determine the requirements—in terms of archival records and retention of records—of laws and regulations with respect to your line of business.
  • Clearly communicate the policy tenets and requirements to all employees involved in the processing of business records. Creating awareness alone can increase levels of compliance towards records retention. The policy must include education about things to do and not to do, legal and regulatory requirements, disciplinary measures for non-adherence, and potential penalties that the organisation might face for non-compliance.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.