Janco News Feed

News

CTO Toolkits

Janco

IT Productivity

IT Toolkits

eJobDescription

PSR

CIO and CTO

newsgroupworld

disaster planning
template

ntcity

DR Knowledge Base

disaster recovery planning
org

disaster recovery
planning template

 

Record Management, Retention, and Destruction Policy

 

There are many common myths about tape, disk, data protection and archiving, one, for example, being that archiving and long-term data retention are only for regulatory compliance purposes. The reality is that while regulatory compliance data, including Sarbanes-Oxley, ISO, financial or HIPAA medical, require long-term retention, many other common application data for almost every business, including those that do not fall under regulatory requirements, can benefit from - if not require - long–term data retention. The notion is to think beyond regulatory compliance. In other words, organizations of all sizes need and rely on information, both current and past.

Template includes citations for Federal and selected state record retention requirements

A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction policy is a detail template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

Unitied States Employers have a number of record retention requirments that are mandated by the federal government.  Download Federal Record Retenition Requirements here.

The areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
  • Scope
  • Responsibilities
  • Record Management
  • Compliance and Enforcement
  • E-mail Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule
• Record Management Best Practices

You can download the Table of Contents and selected pages for this policy template.

Managing backup and recovery in today's environment is a multi-dimensional challenge with both near and long term business requirements. Recent technological developments in disk backup have had a positive impact on short term data retention requirements. But these improvements do not replace the need to execute and deliver on a long term data retention strategy which includes:

• Business and Regulatory Requirements Demand a Long-term Plan
• Manage and Contain Your Total Cost of Ownership (TCO)
• Encrypt Your Data for Secure Long-term Retention
• Weigh the Environmental Impacts and Minimize Power and Cooling Costs
• Simplify Management of the Entire Solution

 

---

 

Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.

---

 

Internet,
e-Mail, Social Networks,
Mobile Device,
Electronic Communications, and
Record Retention  Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Social Networking
• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of E-mail on Personal Systems
• E-mail and Business Records Retention
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

The WORD template uses the latest CSS style sheet and can easily be modified to conform to the style used in your enterprise policy manual.
 

Email Archiving

Email archiving addresses a variety of business requirements, including eDiscovery, regulatory compliance and storage optimization. The growing cost of electronic discovery, compounded by recent changes to the Federal Rules of Civil Procedure (FRCP), has changed the way businesses must deal with email. To be prepared for legal discovery, organizations must know where all their email data is stored, be able to search through and retrieve that data in a short period of time.

Organizations must also apply consistent email retention policies and have a way to enforce a litigation hold by preventing data from being deleted. If not handled consistently, exposure to legal risks is also significant with missing or corrupt data, resulting in spoliation of evidence. This can lead to costly fines, guilty verdicts and damaged reputations.

An email archive provides a centralized, searchable repository of all email and enforces retention policies. This makes meeting the legal discovery challenges much easier and dramatically less expensive than dealing with distributed PST open file formats files and backup tapes. It also ensures a consistent process and data integrity to reduce legal risks.

 

 

---

 

Outsourcing Policy

Outsourcing Policy - This policy is eighteen page in length and defines everything that is need for function to be outsourced.  The policy comes as a Microsoft Word document that can be modified as needed.  The template has been updated to include a HIPAA audit program definition in length and covers:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

---

 

Sensitive Information Policy

Includes HIPAA Audit Program Guide and a PCI Audit Program

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

You can download the Table of Contents and some sample pages by clicking on the link below.

 

---

Backup and Backup Retention Policy

IT organizations of all sizes contend with a growing data footprint with more data to manage, protect and preserve for longer periods of time. Online primary storage, has focus a on fast low latency, reliable access to data while near-line secondary storage has a focus on low cost and high capacity. Long-term data retention requires a combination of ultra-low cost, good performance during storage and retrieval, and reduced footprint in terms of power, cooling, floor-space and economics (PCFE) - also known as a small green footprint - for inactive data.

Factors that CIOs and IT professionals need to consider for data retention include:

• Business and regulatory requirements – regulatory compliance and data preservation
• Economic and budgetary concerns – doing more with less
• Data loss prevention and information protection – protect, preserve and serve
• Environmental and business sustainment – green and economically efficient
• Maximize IT resource effectiveness and return on investment (ROI)
• Reduce total cost ownership (TCO) of IT resources and service delivery

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy:

 

---

Travel and Off-Site Meeting Policy

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is seven (7) page in length and covers:

• Laptop and PDA Security
• Wireless and Virtual Private Networks (VPN)
• Data and Application Security
• Public Shared Resources
• Minimizing attention
• Off-Site Meetings
• Remote Computing Best Practices

This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO.  The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.