HelpSource

We invite you to send your information systems audit, control and security questions to: HelpSource Q&A bgansub@yahoo.com or publication@isaca.org

Fax to: +1.847.253.1443 Or mail to: ISACA Journal 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP, is the global IT security lead for a management consulting, technology services and outsourcing companys global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniams previous work includes heading the information security and risk functions at a top UKbased business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

The way we manage and retain records in our organisationa nascent business process outsourcing service provideris chaotic, to say the least. We do not have a defined records retention policy. We were in big trouble recently when we were asked by a client to produce documentation and we were unable to do so. Given the lack of such retention standards and policies, staff members who process data adopt their own standards based on their convenience rather than business need. Please share your thoughts on how we must handle this records retention issue, given the potential legal and regulatory implications.

Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca.org/journal), find the article, and choose the Comments tab to share your thoughts.

Organisations that do not have proper records retention policies, in particular those that process information on behalf of their clients, have landed in trouble for violating all sorts of requirements, including legal, regulatory and contractual. So your organisation is not alone, as a lot of other entities are in the same sorry state. Electronically stored information (ESI) can be subpoenaed and used as potential evidence both for and against your organisation if your company were to be dragged into a lawsuit. The toxic litigious environment that businesses operate in today, combined with the various regulatory and legal changes that have swept in during recent years, have changed the rules of the game with respect to archiving and retention of e-mails. Unlike in the past, most communications today take place via e-mail and instant messenger systems. Some organisations use FTP-, or equivalent, based systems to interchange files containing data. So regardless of the size, complexity, geographical spread, industry in which the organisation operates, or status in terms of public or private company, lack of retention policies and standards can lead to havoc. One of the key first steps is for organisations to have a records retention policy/standard (I am

using policy and standard interchangeably in this article for the sake of convenience), and such policies/standards must be widely communicated to and understood by all employees who deal with information. The first and foremost component of such a policy is to have the term business records defined specific to the organisation, as there is no universal definition available that can be applied to all organisations. Every company must have its own definition of business records clearly explained. According to Nancy Flynn, in her famous treatise The E-Policy Handbook, a business record is a document (electronic or paper) that provides evidence of business-related activities, events, transactions, negotiations, purchases, sales, hiring, firing and so on. At the same time, she goes on to add that not every message that enters or leaves your organisation is a business record and not every electronic conversation you conduct rises to the level of a business record. For example, amendments made to the US Federal Rules of Civil Procedure (FRCP), which govern the discovery of electronically stored information, include the following: Within the federal court system and courts in some states, ESI is discoverable. In other words, information retained and archived by a company, whether business records or not, can be subpoenaed in cases of litigations against the company. An organisation need not retain all e-mail records, and even those that require retention need not be retained forever. As part of the businesss normal operations and based on appropriate advice that the company receives from its attorney or legal counsel, the company is entitled to delete any information stored electronically, as long as the information no longer serves any business purpose and has reached the end of its life. The organisation must ensure, hopefully via legal counsel, that such purged information is no longer required to meet any of the regulatory, compliance or
ISACA JOURNAL VOLUME 1, 2011

legal requirement, or business obligations. The information selected for purging must also not be related to any ongoing litigations or potential/anticipated lawsuits. US courts expect organisations that operate within the US and any outsourced vendors that process information on the organisations behalf, regardless of their geographic location, to manage ESI in a manner that facilitates the production of information required, in a timely fashion, completely in full and not in parts. The adoption of a consistent approach with respect to retention and deletion of information will enable the organisation to win the trust of the courts. It is essential to have defined policies and standards, if the duration for retention and choice for deletions were to be consistent across the organisation. Should there be any accusations of illegal deletion of records or records tampering, the organisation can fight such claims and prove its innocence if it has well-defined standards.

The following is a list of things to do. As always, you must deem this a general list and seek appropriate legal advice to formulate a policy that is relevant to your organisation. Define the term business records in the context of your organisation. It can be a generic definition applicable across the organisation universally, or you can have multiple definitions with each of them applicable to different parts of the organisation. Seek legal advice and determine the requirementsin terms of archival records and retention of recordsof laws and regulations with respect to your line of business. Clearly communicate the policy tenets and requirements to all employees involved in the processing of business records. Creating awareness alone can increase levels of compliance towards records retention. The policy must include education about things to do and not to do, legal and regulatory requirements, disciplinary measures for non-adherence, and potential penalties that the organisation might face for non-compliance.

ISACA JOURNAL VOLUME 1, 2011

Q&A