4 Elements to Address When Creating Compliant Archiving Policies
Without a doubt, email is the most widely used software application in any organization. It increases productivity and profitability via improved communication and knowledge sharing. However, there are also downsides associated with the growth of email including the exponential amount of sensitive information communicated and stored. Enforcing compliance and archiving policies protects organizations from security threats, data loss, litigation risks, and noncompliance. For policies to be enforced, they first have to be tailored to your organizational needs. Do you know where to start?
It is evident that in today’s highly regulated business environment, having an email policy is no longer a nice-to-have guideline; it is a Must-Have Process. If you want to be sure that your organization is protected against litigation and security threats, or if you simply want to achieve compliance with the statutes governing your respective industry, you will need a strong policy foundation.
Your Policy dictates the operational requirements and rules of deployment that must be adhered to and creates the basic blueprint to cover important legal and compliance issues directly related to your end users such as:
Corporate confidentiality leaks
Incorrect use of email for existing internal processes
Liability claims against the organization for inappropriate or malicious use
Most organizations already have some sort of email usage policy in place – it may be formal or informal, and it may also cover other areas related to IT such as general security and access controls. However, given the complexity of modern collaboration and messaging infrastructures, if you want to be sure that your organization is protected against litigation and security threats, and if you want to achieve compliance, you will need a strong policy foundation that is 100% dedicated to email and which combines Acceptable Usage Policies with Records Management Policies. At a minimum, you will want to address the policy elements that follow.
1 Retention Policy
The first step to creating a retention policy is identifying governance and regulatory requirements. What kind of information is useful and for how long? What kind of information should be kept to comply with laws and regulations and for which period of time? This policy is classified as an organizational policy and it identifies the retention and deletion requirements for email within the organization. If users are given the ability to delete messages, then the policy should provide a clear definition as to what constitutes a business record and what constitutes a transient record that may be deleted. You should also have measures in place for random audits and validation that the policy is being followed. Often, organizations already have an existing records management policy for paper documents. It is a good idea to extend the current policies to include electronic messages, but keep in mind that your policies for documents (or electronic files) may not always extend efficiently to electronic messages. The most important concern is that you have alignment between how your organization treats similar information types, regardless of if this information is preserved on paper, on file, or as an attachment in an email message.
2 Deletion Policy
Unless you plan on keeping information in perpetuity, you will at some point wish to delete information when it is no longer valuable or when the regulatory requirements have been met. Your deletion policy, which in essence is more of an operational policy, should take into consideration all forms of the email messages, including corporate archives, private archives and backups of messages. A deletion policy is only as good as the procedures to purge all information from the environment and should include audit trails that can validate the destruction.
3 Information Lifecycle Policy
This policy is critical to defining what data will be stored in your primary messaging systems, what data will be stored in online archive systems and what data will be stored in off-line systems. The policy needs to effectively communicate the use of corporate and private archives (i.e., personal archives will be allowed but not supported, or will altogether not be enabled), and the accessibility procedures for data not stored in online systems.
4 Backup Policy
Many organizations still utilize tape backup for records retention, a practice that grew out of long cycle tape rotation, allowing administrators to recover a specific copy of a file quickly and easily. Unfortunately, since email is a database application, it does not afford this efficiency of storage and retrieval and backups actually prevent organizations from finding information rapidly.
Example of Archival/Retention Policy
Create Your Policy
In the complete version of this document, you’ll find a copy of the NetGovern Email Policy. Feel free to copy the content and adapt it to your organizational requirements. If you prefer to start from scratch, the key elements of your policy should include:
Purpose of the policy
Scope of the policy (who is affected by it)
Explanation of what and how email is being monitored and manipulated
Clear description of what is and what is not acceptable
State what constitutes a breach
Disciplinary procedure in cases of policy breach
It is useful to give each employee a pamphlet explaining what the email policy stipulates. The guide should not only clarify what is or is not deemed adequate, but it should also demonstrate the benefits of having a policy in place.
It is essential to receive employee support, agreement and acceptance of the policy. Employees should be educated about the policy to ensure that they understand it. State clearly the reasons for the action undertaken: to emphasize your point, perhaps cite recent court cases, productivity loss statistics and other relevant data. In addition, communicate the benefits to the employees and the business in the same way that you would sell the benefits of your product or service to your customers. It can also be beneficial to provide users with feedback on how the email policy is helping your business.
You need to remind employees (and inform new hires) of the email policy on a recurring basis. You can do this by sending the policy out via email each 6 months, by including it in your employee handbooks, holding seminars on the most effective ways of using email and reporting back on the benefits of having the policy in place.