Records Retention for Security’s Sake

By Dan Antoin posted 07-23-2013 12:50


Would you rather change your locks, clean your attic or do just about anything else on the list of things to do around your house? Security and Records Retention are rarely confused with things that are fun and sexy, but most people accept the fact that they are necessary. What people sometimes forget, is that these two unpopular topics are (or should be) a close-knit pair. One of my coworkers remembered this fact last week, when he introduced for consideration at a security meeting, the draft records retention guidelines for an important library. Some people didn’t understand why they were being asked to think about records retention, but I did.

Consider the four elements of security:

  • What are you protecting?
  • What are you protecting it from (threats)?
  • What is your vulnerability to those threats, and
  • What is your plan?

Like it or not, you are protecting every document that you have on your server, in your cloud, in everyone’s email and on most people’s phones and mobile devices. Doesn’t it just make sense to get rid of the stuff you don’t need?

Consider a worst case scenario: Through one of the many thousands of attack vectors out there in the wild, your company suffers a security breach and documents are acquired by nefarious evil doers. The documents are spread around and personal information that had been trusted to your company becomes public information. Depending on what that personal information is , and perhaps where you or those people live, your company is going to start spending money. You may have to pay for damages, you may have to mitigate potential threats and you may have to pay for ongoing protection to some people for several years. Did I say worst case? This is where I hate that there is no way to conjugate ‘worst’ – I wish I could say ‘worser’ or ‘worstest’, because there is something worse than that scenario. What if that the information that was stolen was something that you no longer even needed?

This might represent a good opportunity for content and records managers. While nobody is clamoring to get assigned to the security committee, neither is anyone avoiding it like the plague. Highlighting the fact that by reducing the sheer number of records, you can reduce your exposure to loss just might get people’s attention. Getting people talking about records retention and records destruction is a step in the right direction under any set of circumstances. Getting the requirement for a records retention policy bundled into your company’s security policy – that just might be priceless.

#Security #recordsretention #destruction #ElectronicRecordsManagement