Retention Policies

Solution Search:
and its regulatory requirements. And because of the Sarbanes-Oxley Act, intentional document destruction is now a process that must be carefully monitored.

Despite the fact that the enforcement of document retention policies can't be handled by technology alone, the destruction process does bring real benefits: preserving the storage space on... More...

on how financial businesses must respond to future subpoenas.

Keeping one step ahead
Financial companies already comply with myriad laws, rules, regulations and contractual documents governing minimum record retention periods. These retention periods may range from two years to seven years or even longer and are based on the content of... More...

Requirement 3.1 of the PCI Data Security Standard (DSS) requires merchants keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or... More...

of them. While it's clear you shouldn't leave customer data in dumpsters, there is plenty of gray in the new regulations. "The laws typically require that a corporation make a good faith effort to establish reasonable data retention policies," said Babineau.

Good faith and reasonable are subjective terms, and at the moment, it is unclear how the government will... More...

a strategy for identifying, preserving, collecting and producing electronically stored information for litigation or investigations, but they're falling short when it comes to testing their ESI discovery policies, according to a survey by Kroll OnTrack Inc., a Minneapolis-based supplier of data discovery products and services.

The... More...

data was held 18 months or 18 minutes?

"No," he said. "What matters is that the company did not prevent the break-in."

The TJX break-in wasn't caused or exacerbated by data retention requirements, he said, adding, "The only thing data retention policies affect is the amount of data that is exposed to risk. In that sense, [Litan] is correct. Shorter retention times would... More...

Some practical approaches to enabling secure real-time communication have emerged as IM has matured into a widely accepted form of communication, including professional solutions, new protocols and improved policies.

Professional solutions
A variety of commercial and open source IM products have become widely available over the... More...

Access rights control: Only the Wholesale and E-Banking guides have controls for revoking the access for terminated users. While only Wholesale and Retail call for changing users passwords on a regular basis.

Policies and procedures: While all three guides call for an organizational framework of policies and procedures on a high level... More...

will be designated as the "owner," and this person/group should have input into its use. For example, customer banking data may only need to be accessed by customers (the data "owners") and transaction processing staff. Update policies to reflect data classification. By ensuring policies are inclusive of data classification types and compliance... More...
infobase is designed to provide financial institutions guidance; however, this can also be a very useful tool for the MSB with respect to understanding expectations of your organization by your bank. Develop a record retention system. A good record retention system can keep track of all of your MSB activity, particularly if you have multiple... More...
classification labels and the access restriction in place. File or folder owners can then be notified to rectify the situations or identify false positives.

Publish policies on using file repositories and record retention -- It is necessary to develop and publish a policy on which file repositories may store certain types of information, as... More...

they know it, they'll leave you alone.

"You really ought to think carefully: 'What do I really need to do my job? What logs do I have to keep?' and take it backward from there."

Bankston recommend enterprises also maintain written policies addressing data collection and retention that encourages keeping the minimum information necessary for an... More...

into multiple virtual servers and resources. The CEO, CIO, compliance officer and other executives -- as well as compliance auditors and IT managers -- should help build the strategy. Review the organization's compliance policies to ensure that regulations have been met and the storage of data can be retained virtually for a minimum of, say, seven... More...
which largely defeats the purpose of end-to-end encryption since the data is most vulnerable during these operations. In some cases, the data or a portion of it is also needed for business reasons; a common example is the retention of payment card data for recurring charges and chargebacks (refunds). In addition, management of centralized... More...
not to buy a company's product or service because they did not know how the company would use their personal information. 58% of consumers say if they were confident a business followed its declared security and privacy policies, they would recommend that business to family and friends. Source: Privacy & American Business1.

If you are in a position to... More...

In his blog, David Schneier explains how documenting your security policies helps ease the audit and examination process... More...
firm Piper Jaffray & Co. $700,000 for violations related to its failure to retain about 4.3 million emails between 2002 and 2008.

FINRA said Minneapolis, Minn.-based Piper Jaffray also failed to inform FINRA of its email retention and retrieval problems, which impacted its ability to respond to FINRA's requests, thereby potentially hindering the... More...

The law firm I currently work at has asked me to implement a retention policy for our records department. This project will also include email retention. Do you have any suggestions on... More...
The law firm I currently work at has asked me to implement a retention policy for our records department. This project will also include email retention. Do you have any suggestions on... More...
may also be directed at people with whom the accused individual regularly corresponds.

E-mail messages should be considered business records and stored accordingly. Meticulous e-mail archiving (also called e-mail retention), like the retention of tax records, has become an essential part of the record-keeping routine for all businesses.

The... More...

NEW YORK -- Upcoming changes in the law meant to ease the process for discovering electronic records were met with groans and sighs by records managers, lawyers and compliance officers at a record retention conference this week.

The event, held at the New York City Bar Association, attracted general counsels and compliance... More...

Data retention requirements are a reality for financial services companies, and in recent years many have boosted their storage... More...

an existing one? One expert says aim low, keep it simple and keep it short.

"It's OK to put a wish list in the policy, but make it optional," said Phebe Waterfield, senior security analyst with Boston-based Yankee Group. Security policies, she told delegates Wednesday at the Information Security Decisions conference, should reflect current practices... More...

Federal regulators on Tuesday released a standardized form designed to make it easier for consumers to understand financial institutions' privacy policies

Banks and other financial-services firms are required by the Gramm-Leach-Bliley Act (GLBA) to notify consumers about how... More...

areas within the organization. This can be particularly troublesome when addressing complex security issues and attempting to set policy. If the right people don't have input and ownership in establishing policies then those policies may not be recognized with their full weight.

One way to address this issue is by utilizing an... More...

Financial Security Whitepapers
Winning the PCI Compliance Battle by Qualys
to retailers, banks, service providers and credit card companies. Several large companies have been widely exposed due to major data security breaches. To mitigate the risks of such attacks, organizations must comply with PCI DSS, a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting...
Virtual Criminology Report Cybercrime versus Cyberlaw by McAfee, Inc.
has been done to combat cybercrime over the past decade, criminals still have the upper hand. Global cybercrime has a significant financial impact on businesses and consumers across the globe, while wider use of technology in developing countries is further opening the window of opportunity for evildoers.

Read this whitepaper for the stories of more than a dozen...
Web application security: automated scanning versus manual penetration testing by IBM
methods. As Web applications become increasingly complex, tremendous amounts of sensitive data-including personal, medical and financial information-are exchanged and stored. Consumers expect and even demand that this information be kept secure. There are two primary methods for discovering Web application vulnerabilities: using manual penetration testing...
CUSTOMER DATA INTEGRATION (CDI) by Wipro Technologies
the enterprise which can be used intelligently to achieve the banks objectives. Customer Information is the bedrock on which financial institutions build lasting and profitable relationships with their clients.

Customer Data Integration technologies can help to create a single, informative, accurate and timely view of the customer across the...
How to Incentivize Whistleblowers to First Use Internal Reporting Tools by Convercent
Wall Street Reform and Consumer Protection Act, passed in July 2010, say the Act undermines internal whistleblowing processes with financial incentives.

This resource outlines the impact the Act has had on employees and organizations and explores how to encourage employees to keep you in the loop by encouraging internal communications and properly handling...
Cost Take-out: The New Top Priority for U.S. Government CFOs by IBM
are beyond the scope of this paper, suffice it to say that continued spending at such a pace carries with it considerable economic and security concerns.

The goal of this white paper is to serve as a platform from which to explore a range of possibilities and opportunities available to government CFOs in their quest to operate in a more efficient and effective manner by...
Do You Know Where Your Assets Are? Maximizing ROI With Radio Frequency Identification (RFID) Asset Management by Intermec
in enterprise asset management and fundamentally alter and improve business processes. In doing so, they are finding a positive financial return on their RFID investment...
Iron Mountain Customers Share Compliance, Litigation and Discovery Best Practices by Iron Mountain
management has never been more important. Physical and digital data managed incorrectly can lead to serious legal, financial and company risk - minimizing this risk should be a top priority in any company. This is where an information management services provider comes in.

This paper showcases how customers of one such provider address their own...
Closing the Gaps in Enterprise Data Security: A Model for 360° Protection by Sophos, Inc.
This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in...