Do you Know Where your Data is? Gregory P. Silberman, CISSP Technology Intellectual Property & Outsourcing Group Kaye Scholer LLP May 10, 2005

Policies, Standards, Guidelines  A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.  A standard is typically collections of system-specific or procedural- specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.  A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

Isn’t data retention just about back up copies?  Collection  Use  Storage  Security  Destruction  The goal is to keep “good/necessary” data and delete unnecessary data.

So what data do I have to be concerned with?  It depends on the business, legal and personal use of the data. However, consider the following:   Instant Messaging  Voice Message  Employee Records  Customer/Client/Patient Information  Designs, Drawings, Schematics, Plans, Blueprints  Photographs, Movies, Sounds  Software  Log files

Isn’t this something MIS can take care of?  Business Requirement  Legal Requirements  Compliance  Civil Liability  Criminal Liability  Litigation/Discovery  Personal Requirements

Business Requirements  Work Product  Operational Necessity  Contractual Obligations  Disaster Recovery and Business Continuity

Legal Requirements  Local, State, Federal, International  HIPAA  COPPA  GLB  SOX  SEC  NASD  FDA  OSHA  PATRIOT  Privacy Policies  Insurance Regulations  Electronic Signatures  Video Rental Records  Department of Defense  California Security Database Breach Notification Act  Destruction of Evidence (Spoilation)

SEC 17a-3 and 17a-4  Enacted by the SEC in 1997, to allow brokers in the securities industry to store records electronically  17a-3: Requirement to make the records  17a-4: Requirement to keep the records  Written and enforceable retention policies  Storage of data on indelible, non-rewriteable media (WORM)  Searchable index of all stored data  Readily retrievable and viewable data  Storage of data offsite

NASD 3010/3110  Rules set by the National Association of Securities Dealers Inc. (NASD) to govern the behavior of security firms  Rule 3010: Supervision. Each firm must “supervise” their representatives activity, including monitoring incoming and outgoing  Rule 3110: Retention of Correspondence  Each member shall retain correspondence of registered representatives relating to its investment banking or securities business  Requirements pertaining to record keeping formats, mediums, and retention periods comply with SEC Rule 17a- 4

Personal Requirements  All data that is not governed by business or legal requirements.  Do not delete because you think it will hurt the company. Follow the policy.  Keep “personal” material off of company systems ( , programs, questionable web adventures)

Getting the Job Done  Build it yourself  Proprietary In-house Solution  License solution from someone else  EMC-Legato, Veritas-Enterprise Vault  Outsource the solution  SECCAS (seccas.com)

Backups  Do you know where they are?  Do you know what's on them?  Do you know who has access to them?  Are you sure they are any good?  What happened to the Y2K hard an electronic backups?  Are you sure these are the only backups?  How much disruption will there be if you have to change your practices to preserve data?

Software Development Issues  Who has access to your systems and data?  Are they subject to the same security?  Do you have contracts protecting your data?  Do your software developers need live or actual data?

Issues  Informal Nature causes people to write things as if they are saying them.  Problem of mass distribution an replication.  Deleting from your mailbox does not make it go away.  People tend to save “just in case”.  Tends to be used as a junk drawer and filing cabinet.  Think before you .

Outsourcing Issues  Do you actually have control over the data?  Are your policies, standards and guidelines still being followed?  Contract Provisions  Liability and Indemnification  Notification  Response to Problems  Are you now subject to the laws of another country?

Policy Outline  Purpose of the policy  Who is effected by this policy  What type of data and electronic systems are covered  Define key terms (legal and technical)  Outline the procedures for proper collection, retention, use and destruction  Outline Litigation exceptions and response procedures to prevent spoilation  List responsibilities and specific duties  Build a table showing data type and associated procedures and retention periods  Distribute/Educate  Audit

Conclusion  Data retention touches every aspect of your business  Data retention involves every employee of your business  Content should dictate policy  Format should dictate standards and procedures  Develop Policies, Standards and Guidelines then follow them and audit your business for compliance

Thank You Gregory P. Silberman, CISSP Technology Intellectual Property & Outsourcing Group Kaye Scholer LLP Kaye Scholer refers to Kaye Scholer LLP and its affiliates operating in various jurisdictions