# Data Policies*

# Data Archiving Policy

Needs to include the ability to perform eDiscovery and granular retrieval. The capability to retrieve data by date, subject, and author is very useful. A good archiving policy should include eDiscovery capability. Data monitoring should also be included in a data archiving policy. Cloud storage allows for data to be moved and replicated frequently. This provides for high availability and high resiliency, while requiring good data governance.

  • Data encryption. The encryption procedure needs to consider the media used, restoration options, and how to eliminate issues with key management. Loss of encryption keys could directly lead to the loss of data. The following also need to be included in a data archiving policy:
  • Data monitoring. Cloud storage allows for data to be moved and replicated frequently. While this provides for HA and resiliency, it also creates a challenge for data governance.
  • Data restoration. Having a process to backup data is critical for data protection. Having data in a backup that is unable to be restored is useless. The restoration process needs to be tested and verified working.
  • eDiscovery process. Data stores continue to grow. Finding data in the cloud could be considered finding a needle in a haystack without a good eDiscovery process.
  • Data backup. Backing up data could be considered the foundation of a data archiving policy.
  • Data format. Numerous tape formats have been developed over the years. File formats and media types can change over time. Consideration must be given to all file formats to ensure data is not left orphaned.

# Data Audit Policy

The organization should have a policy for conducting audits of its data. The policy should include detailed descriptions of:

  • Audit periods
  • Audit scope
  • Audit responsibilities (internal and/or external)
  • Audit processes and procedures
  • Applicable regulations
  • Monitoring, maintenance, and enforcement

The data audit policy should include the following:

  • The process for data disposal
  • Applicable regulations
  • Clear direction of when data should be destroyed

# Data Retention Policy

Organizations must demonstrate compliance with a well-defined data retention policy. The policy should ensure that only data that is not subject to regulatory or business requirements is deleted. It should also include a repeatable and predictable process.

The policy needs to consider:

  • Retention periods
  • Data formats
  • Data security
  • Data retrieval procedures