Policies for your organization's IG strategy. Where do I start?

Policies, specifically retention policies sound so simple, don’t they? The truth is, they are anything but simple. Once you start looking at the data you have, where it is stored, and who owns it, you suddenly realize how difficult it is to assign policies.

Where is your data stored?
The first hurdle with assigning policies is to understand where your data is stored, and this is no small task! Understanding which desktops, servers, products, platforms and locations contain any of your data, might seem too large of a task to start. Once you start this process, it can be very overwhelming and might seem like you will never see a light at the end of the tunnel. Regardless, you must initiate this process because in order to apply policies to your data, you need to know what and where your data resides. It may seem like this process has nothing to do with policies, but trust me, it does. Remember the distance, rate, and time math problems in school? If you recall, you had to have two of the values in order to solve the problem. The same holds true here. You must know what data you have in order to create the proper policies to govern it. If done properly, one of the by-products that gets created from the data inventory process is that you now have a much better understanding of what data exists so you know what policies to enforce.

One of the hats I wear, is being the Product Manager for Mail Attender for IBM Domino. I have conducted hundreds of demonstrations over the years and rarely is an organization’s retention policy set in stone. Once I start asking questions about different types of mail messages and what type of policies have been created, the retention policies are often altered. This is not a reflection of  my knowledge. This is more of an example of making policies without knowing about all of the data that exists. So, take something as finite as mail and expand that thinking across your entire infrastructure and suddenly you will realize that no data is created equally. You need to have policies for all data types, including email, files, social software, etc.

Where do you start?
I would advise starting with email. The two reasons that come to mind for starting with email are:

1. You probably already have a great understanding of where email is stored, and
2. Email seems to be the biggest ‘witness’ in court cases.

Email can help blaze that trail for creating and enforcing retention policies for all data. It will help you understand what types of messages/data you have within your email environment and how that translates to the rest of your data. The old adage “I don’t know what I don’t know” is very applicable when it comes to your data. The deeper you dig, the more you learn. The wrong approach is to think that you know everything about your data. Old and new systems are being created/modified/leveraged constantly, so your data types will never be stagnant. Even for data that you think you fully understand, changes could be happening and you need to be diligent and adjust accordingly.

Once you feel you have a great understanding of how to govern your email, the next data source I would recommend are loose files. When I say loose files, I mean files that are stored within the file systems on desktops, servers, centralized software, USBs, etc. Typically, this would include files with extensions of .doc, .pdf, etc. Like email, files can be centralized on your servers, but can also be distributed across the user environment. This is the reason that I recommend files to follow email, because they follow the same distribution methodology. It will align nicely with how you created the policies for email.

From there, your company would be the best source for what other unstructured data you want to govern. Just keep building on the knowledge that you have learned and be sure that your policies are in step with any federal regulations regarding your business.

If you are enforcing retention policies on the data in your environment, be sure that any snap-shot formats (e.g. backups) are also compliant with the retention policies. It would not serve you well if all is being deleted after it reaches two years old, but your backup tapes that contain messages are not scratched for five years.

To summarize, living in the state of delusion is not an option when it comes to policies. The argument of “We’ve never had policies before, so why make them now”, might seem valid to some but in reality, not so much. In today’s world of litigiousness and laws/regulations, you must abide by what is expected and required of you when it concerns information governance.

To learn more about retention policies or to speak with a Sherpa representative, contact us at 1-800-255-5155.


Leave a Reply

Your email address will not be published. Required fields are marked *