This article can also be found in the Premium Editorial Download "Storage magazine: What to do when storage capacity keeps growing."
Download it now to read this article plus other related content.
|Records-retention policy update|
It's important to regularly update your company's records-retention policies to identify any missing records that need to be protected in case of a disaster. A business record is defined as any information that's recorded or stored by graphic, electronic, mechanical or other means and contains evidence of business-related activities, events and transactions with ongoing business, legal, compliance, operational or historical value. This is based on the content, not the format or recording media.
Your company's general counsel can become a strong source of support for a policy update project, and may provide budget dollars and resources to get it done. The records-retention schedule generally lists required records by business function or department, and the update process should include structured interviews with representatives from these groups. The interview process should update the list of paper records created and retained, and identify the types of electronic records used or retained by each group.
You should also take the opportunity to identify documents and data sets that need special privacy protection or security measures during emergencies. The disaster recovery plan will need to support these special requirements.
Assessing the situation
Your approach to DR planning will depend on whether or not you have a DR plan and when it was last updated. If you have a DR plan, you need to determine whether it is:
- Covering only a small part of the critical data, and addressing only a few of the likely threats and risks.
- Current but very expensive, placing all data on the highest cost storage tier and replicating it locally and remotely for rapid recovery in almost any failure scenario.
- Current, cost-effective and based on a clear set of data classifications, as well as appropriate levels of protection and replication for each class.
Establish record types and business requirements. To ensure you understand what data is most critical for business recovery, start with a review of the legal, regulatory and operational requirements for records retention, protection and availability. A review of your company's official records-retention schedule will ensure that you address the full range of records and data the company must create and retain. If the retention schedule is incomplete or out of date, you may need to work with your legal and compliance teams to update it so that it covers important electronic records in addition to paper documents (see "Records-retention policy update").
This was first published in June 2006