Vulnerabilities / Threats // Insider Threats
07:15 PM

Data Retention Policies Absent Or Partially Implemented

Almost 90% of IT and legal pros value data retention plans, but less than half their organization have them and many fail to follow through with required technology, finds Applied Research survey.

When it comes to retaining important emails and other records, 87% of IT and legal professionals believe that having a formal data retention plan is important for knowing which information to retain or delete. But only 46% of their organizations actually have such a plan.

That's according to a new study released by Symantec, based on a June 2010 survey of 1,680 senior IT and legal executives in 26 countries, conducted by Applied Research.

"There's definitely a gap in terms of what people perceive as important around information management -- around retention policies, deletion policies -- and what their actual practices are," said Danny Milrad, senior manager of product marketing for information management at Symantec.

In some cases, organizations create good retention and deletion policies, but fail to follow through with required technology. For example, in 2009, the Massachusetts attorney general launched an investigation into the city of Boston's email retention practices, or lack thereof, after it emerged that the chief of policy and planning had deleted his work email on an almost daily basis, and that his emails hadn't been retained.

Last week, however, the state's attorney general dropped the case against him, noting that the city's own archives and records management division "actually encouraged employees, in concrete, easy to understand language, to routinely delete emails," which the city officially stored for three years. Unfortunately, no such storage system was in place, though the city has since begun to rectify the problem.

Boston aside, many organizations lack any clear policies, resulting in a pack-rat approach to retention. Deleting nothing, however, creates its own problems, because storage isn't cheap. For example, the Symantec study found that 75% of enterprises use their backup systems to satisfy legal hold requests, and that such holds account for 45% of their total backup storage volume. Furthermore, by some estimates, approximately 70% of all stored data is duplicate data.

Taken to extremes, this volume of stored information can literally start to consume the company. "We had a customer in the UK that had so many backup tapes that they had to shut down the company's swimming pool to build a storage facility," said Milrad. "For electronic discovery requests, how much does it cost to pull those tapes out and find the information?" With 250,000 tapes in total, the cost and time required could be substantial.

If that example is a storage-volume outlier, it previews where many companies are headed. The lesson, then, is to have a plan and put the right technology in place to ensure that your organization sticks to the plan, said Milrad. "Being able to defend your information management plan is what's going to be able to keep your CEO out of the news, for reasons they shouldn't be in the news."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.