Use case: Records retention policy and management protocol

For many organizations, the perennial information management challenge they face is records retention. Some organizations my either have no cognizable records retention policy or a state-of-the-art records management protocol they can never seem to get effectively implemented. Regardless of what state its records policy or management protocols are in, and organization that seeks to implement one should have a sense of the following fundamental characteristics of their data and organization:
a. File create, modify and access times;
b. File “owner”;
c. file content;
d. The rules that define which group within the organization’s internal data taxonomy, the classified information belongs to, i.e. – HR, finance, taxes, customers, operations, marketing, etc.;
e. The applicable regulatory framework for the organization – this consists of nondiscretionary externally mandated records retention requirements; and
f. Pending (to the extent they exist) litigation hold requirements.
1. Defensible data remediation; getting rid of files with little business value and high exposure.
Organizations that have implemented records retention programs without classification are likely over-capturing information. This means that while they get what they should, they may also capture superfluous information that is of no business value that could well represent significant risk to the organization.
Records retention managers who leverage search and classification technology will be able to report on a host of information, including, but not limited to, the age of files it encounter during a network scan as well s file access and modify times. This allows records retention managers to being data remediation based on file age and utility. Arguably, old files that are never modified or accessed likely have little or no business value. In fact these files are the ones that constitute the greatest organizational threat in the form of dormant data liability. However, simply because they exist, they may be responsive to a litigation or regulatory request.
2. Data classification; defining that which is an organizational record.
The precursor step to defining what constitutes an organizational record is data classification. Prior to data classification, the data must be discovered and its contents accessed. In today’s world, file metadata and content become part of an enterprise index. Policies, driven by corporate stakeholder criteria, can then identify the items that qualify as “records” based on the organization’s rules and apply user-specific metadata to them.
In the records retention use case, records retention managers or policy makers can create and automate simple or complex classification rule sets that will classify and tag relevant documents with values such as “tax record,” “HR record,” “final contract,” etc. The resulting record can then be migrated to its archival resting point on secondary storage or read-only media. In short, powerful metadata tagging capabilities now allow records managers and policy makers to get their arms around vast amounts of data and apply flexible and elegant classification schemes that heretofore would have been inconceivable.
II. Use case: Information security
In a recent study conducted by TIP, and independent IT research group founded by Gartner, EMC, Giga, and Bell Labs alumni, upwards of 70% of information security (infosec) professionals interviewed have confirmed that there has been a shift in their focus from external threats to internal threats to their information security. Some hot points for information storage mangers include stemming intellectual property (IP) leakage, identifying network security gaps and managing information access. Helping infosec professional by giving them insight into the nature of data at rest is a core foundation for infosec solutions. Questions such as, “who in the enterprise has data related to project X and where is it?” can easily be answered by leveraging regular expression content filter engines that identify and alert infosec professional to the existence and network coordinates of certain types of information that meet the organization’s risk profiles. Infosec managers should be able to scan, locate and sequester information such as credit card data, social security information or any other pattern or keyword-based sensitive and proprietary material. Even more importantly, they should be able to conduct automated risk rankings that combine multiple metadata and content conditions. Information access technology delivers these types of solutions. Now infosec personnel can ascertain data ownership and access rights and be in a better position to help make policy decisions about avoiding future organizational exposure.