Security Watch | Matt Hines » Records security plans still lagging

October 08, 2007 | Comments: (0)

Records security plans still lagging

TAGS: Security

One of the biggest problems facing companies when they discover a data leakage incident al la TJX Companies is that they finally realize that they don't have a firm handle on just where all their information resides.

It's a story that's repeated time-and-time again by post-breach forensics experts -- whose first job upon being hired after an incident is typically to try and backtrack to figure out just what types and volumes of data have been exposed, and how.

According to a new study from data archiving and storage back-up specialists Iron Mountain, one of the primary reasons that companies often find themselves in this unenviable position is because they lack an enterprise-wide records management strategy in the first place.

In fact, in a recent study that the company completed with 2000 IT professionals and legal experts employed by its customers, roughly 65 percent of those interviewed admitted that they have no over-arching records retention, storage, back-up and management strategy.

The Compliance Benchmark Study published by Iron Mountain on Wednesday illustrates just why so many companies are having trouble protecting themselves from data incidents and responding to them quickly when they occur, according to said Laura McDaniel, director of compliant records management at the firm.

"It's interesting that there's still a lot of room to go, even though there is a greater awareness level regarding this issue than ever there's been," McDaniel said. "From a records management standpoint, most companies may have some sort of retention schedule or policies or procedures in place, but many are still in the dark ages in terms of adopting these rules across their entire organization, especially for electronic records."

Despite the current shortcomings, Iron Mountain found that most firms are trying to improve their standing, with 61 percent of those surveyed reporting that they are committed to records enterprise-wide records management and in the process of outlining new strategies.

Among the other findings:

-Oversight of records management remains unclear in many organizations:

A vast majority 73 percent of respondents said that leadership of their corporate records management programs were "not clearly defined," with many noting that steering committees mean to address the issue have "limited participation from key stakeholders."

Iron Mountain recommends that businesses should establish a senior-level committee to help forward direction and push policies down to rank-and-file workers.

-Records retention is consistent:

Some 81 percent of those interviewed said that they already have a retention schedule to manage records retention as it relates to compliance programs and provides a "blueprint" for all related activities.

Iron Mountain advises that businesses should establish a universal records retention schedule across all of their business units, covering all of their records, regardless of the content's media format.

-Records retrieval is typically accurate and speedy:

Roughly 90 percent of respondents rated their ability to gather records as "effective and accurate."

Iron Mountain said these responses indicate that most companies are satisfied with their ability to retrieve records, and that most organizations appear to understand the basics of record storage, indexing and retrieval.

However, the company contends that organizations always be looking to improve policies and procedures to speed record recovery.

-Secure destruction practices are inconsistent:

Only 38 percent of the organizations surveyed reported that they already have a uniform set of policies in place for the disposal of confidential information, despite many government and industry regulations that require businesses to do so.

Iron Mountain advises that companies should be more consistent, launching comprehensive, organization-wide plans for destruction of both active and inactive records

Companies that participated in the benchmark study can use the results to educate key stakeholders and decision makers in their organization to make improvements to their records management program.

"The good news is that most companies are realizing that they're way under-prepared and that they need to do more than what they're doing currently," said McDaniel. "But most companies do not know where data is and that's part of the early homework; it's very challenging for companies to get arms around this problem, but our advice is to take it one-step-at-a-time and build a multi-year plan."

Posted by Matt Hines on October 8, 2007 12:42 PM

RATE THIS ARTICLE: