Information Technology

Creating an Effective Retention Policy By Jeffrey Streif, CPA, CFE, CISA, QSA

Data Retention Policy and Procedures How long should data be stored on the network drives, the cloud, in storage or on media? It would be wonderful to just say keep everything for seven years and then dispose of it in a secure manner. Unfortunately, retention length of time is probably the most difficult question to answer. Due to industry requirements, state and federal regulations, and even what type of data is involved, the answer could vary. Because there could be overlap in what one state requires versus another, sometimes the best possible answer is to categorize the data, and then look at the relevant time periods and choose the one that is longest. Some firms have even specified in their engagement letter which state statute applies if they choose the shorter period. The policy should detail how the litigation affects the retention period. Once litigation is likely, the policy should define controls that will ensure against the unintended or accidental destruction of data.

data retention policy is one of the most important policies for a business to have. The Backup and Destruction The backup policy should be integrated or aligned with problem is that a large percentage of entities the data retention policy. Backup media should follow don’t have one, and if they do, it isn’t monitored policy guidelines to ensure all data stored on backup media Aor enforced. To be effective, such a policy should cover all is necessary for operational and legal requirements and data no matter what form it is in and where it resides. doesn’t conflict with the data retention policy. The entity Data Mapping should maintain a proper inventory of backup media with detailed labels. An annual review of the data map, retention Data mapping is the process by which an entity locates requirements and backup procedures will help prevent any and identifies the various types of data on its resources. issues with old obsolete data. There should be procedures These resources could include the following: network set up that will facilitate the secure destruction of the data drives, desktop computers, laptops, tablets, smartphones, once the retention period has ended. external hard drives, flash drives, and the cloud. This is a critical part of the data retention policy, in that it will allow the entity to have better control over where the Monitoring of Policies data is located and how to manage it according to the data If the data retention policy is to be effective, it is important retention policy. Also, do not forget to include the hard to audit the policy periodically to ensure compliance. copies of data in this mapping process. Monitoring the policy can also help identify any deficiencies, such as areas of data leakage, data not classified correctly, Data Classification data located in inappropriate locations, data not backed up properly, or old data that should be disposed of. Once the data has been mapped out, the entity should review all its data and categorize it as confidential, sensitive or public. The data can also have subcategories, such Conclusion as client data, employee data, and financial data. It is is critical to an organization’s important to classify the data because it doesn’t all have the success. An important part of data management is the same retention period. It is necessary to determine why the data retention policy. How an entity manages its data can data is important for current and future operations, so as to improve efficiency, reduce overhead burden and increase determine a reasonable amount of time to retain the data if competiveness. Technology is making the managing of it doesn’t fall under any industry requirement or state and data more efficient with the use of paperless document federal regulations. management systems to ensure compliance with entity policies and external regulations.

22 the Asset | September 2012 In conclusion, the data retention policy weighs several factors, such as legal and issues, costs to maintain, and need-to-know concerns to determine the retention time, backup policy, data formats, and the best possible means of storage, access, and . The steps to create a reasonable policy include the following: • Identify what industry, state and federal regulations or laws affect your data; • Create a data classification policy to categorize the data and assign the appropriate retention period; • Locate where the data resides on the entity's resources — logical and physical; Give up your search for capital, • Create a set of procedures to manage, track and dispose of the data according to policy; not your ownership • Monitor the entity resources to ensure compliance It’s simple. Regional Growth Capital invests with the data retention policy; in growing, regionally based companies. How is that unique? Our funding enables you to • Update the data retention policy due to changes in grow your business without giving up any industry requirements, state and federal regulations ownership. and technology changes; and • Maintain appropriate levels of security at all stages When few choices exist for small businesses, of the data retention policy. Regional Growth Capital remains a trusted Jeffrey Streif is a principal with UHY Advisors in St. Louis. source for investment without ownership. He is the chair of the MSCPA Information Technology Committee and current treasurer of the St. Louis Chapter www.RegionalGrowthCapital.com • 314-402-3538 of ISACA. He can be reached at [email protected].

the Asset | September 2012 23