Vulnerabilities / Threats // Insider Threats
8/4/2010
07:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Retention Policies Absent Or Partially Implemented

Almost 90% of IT and legal pros value data retention plans, but less than half their organization have them and many fail to follow through with required technology, finds Applied Research survey.

When it comes to retaining important emails and other records, 87% of IT and legal professionals believe that having a formal data retention plan is important for knowing which information to retain or delete. But only 46% of their organizations actually have such a plan.

That's according to a new study released by Symantec, based on a June 2010 survey of 1,680 senior IT and legal executives in 26 countries, conducted by Applied Research.

"There's definitely a gap in terms of what people perceive as important around information management -- around retention policies, deletion policies -- and what their actual practices are," said Danny Milrad, senior manager of product marketing for information management at Symantec.

In some cases, organizations create good retention and deletion policies, but fail to follow through with required technology. For example, in 2009, the Massachusetts attorney general launched an investigation into the city of Boston's email retention practices, or lack thereof, after it emerged that the chief of policy and planning had deleted his work email on an almost daily basis, and that his emails hadn't been retained.

Last week, however, the state's attorney general dropped the case against him, noting that the city's own archives and records management division "actually encouraged employees, in concrete, easy to understand language, to routinely delete emails," which the city officially stored for three years. Unfortunately, no such storage system was in place, though the city has since begun to rectify the problem.

Boston aside, many organizations lack any clear policies, resulting in a pack-rat approach to retention. Deleting nothing, however, creates its own problems, because storage isn't cheap. For example, the Symantec study found that 75% of enterprises use their backup systems to satisfy legal hold requests, and that such holds account for 45% of their total backup storage volume. Furthermore, by some estimates, approximately 70% of all stored data is duplicate data.

Taken to extremes, this volume of stored information can literally start to consume the company. "We had a customer in the UK that had so many backup tapes that they had to shut down the company's swimming pool to build a storage facility," said Milrad. "For electronic discovery requests, how much does it cost to pull those tapes out and find the information?" With 250,000 tapes in total, the cost and time required could be substantial.

If that example is a storage-volume outlier, it previews where many companies are headed. The lesson, then, is to have a plan and put the right technology in place to ensure that your organization sticks to the plan, said Milrad. "Being able to defend your information management plan is what's going to be able to keep your CEO out of the news, for reasons they shouldn't be in the news."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.