You've thought it or asked it before. You want to know how to store, how long to retain, and how to dispose of your company's and your customer's information.
The answers to those questions begins with your company's Document Retention Policy and/or Document Retention Guidelines, which usually go hand-in-hand with the company's and the customer's Information Security Policy. Requirements such as labeling, classifying, distribution, storage, reproduction, and retention are usually baked into the Information Security Policy, and then Document Retention Policy and/or Document Retention Guidelines is a lower level of guidance that is in support of the overall Information Security Policy.
Document Retention is a significant technical challenge for most companies. It involves both the company's internal systems as well as projects that the company had undertaken on behalf of its clients. Because of the importance of the issue to the company and its clients, as well as the potential for disputes or litigation, adherence to published Document Retention Policy/Guidelines is a business necessity.
The purpose behind Document Retention "guidance" is essentially twofold. First, it enables the company to respond to any client request or issue after a project has commenced or completed. Second, in the event of a dispute with a customer, vendor, or other third party, the company must be able to defend itself and prove what it did on a project and how it complied with its duties or obligations.
Thus, if a document, regardless of media type, is necessary to either of the above two purposes, it should be retained. If not, it can be disposed of. With respect to electronic records, consideration should be given to whether the information would be stored in a format (media and software) that would be retrievable over the life of the retention requirement.
The purpose however, is not to retain every piece of paper or electronic information ever created during the course of a project, but to retain the documentation which would allow the company to respond to client inquiries, or to show what the company did on a particular project and that the company complied with its obligations.
If your company does not have a published Document Retention Policy or Document Retention Guidelines, this shortcoming should be addressed sooner rather than later since the consequences for not being able to retrieve desired pertinent information can be severe.
The author, at one time, was an IT Staff Auditor for a Fortune 10 company, and later managed the global Information Security Program for the Information Technology organization that supported a Fortune 10 company.
http://www.sound-business-practices.com
http://www.skeleton-star.com
http://www.skeletonstar.com