Transcription
INSIDESearchExchange.comemail archivingPlanning, policies and product selectionCHAPTER 2Defining anemail-archivingImplement andenforce howusers manageand retaintheir electronicmessages witha comprehensivepolicy onemail archivingpolicy 03 What is thepurpose of anemail-archivingpolicy? 04 What qualifiesas acceptableuse? 07 Emailmanagementand retention 09 Staff roles andresponsibilities
chapter 2 Defining an email-archiving policychapter 2Defining an email-archiving policyQby Kathryn Hiltonuestionable email deletions continue to grab headlines as well as the attention of courts and litigators.Because of the uncertainty that still surrounds the useof email, it’s absolutely necessary in today’s businessenvironment to define, implement and enforce an emailarchiving policy.Forty-three percent of corporations have an emailretention policy in place, but only 12% use an archiving tool tomanage retention and policy compliance, according to OstermanResearch Inc., a market research firm based in Black Diamond,Wash. Many businesses still operate under the misconceptionthat backing up their data constitutes an archive. Many alsorely on the risky assumption that users correctly manage andsave their own business records. Without set policies andprocedures for archiving email, businesses face risks and penaltiesthat can be severe.Defining andarchiving emailbusiness recordsis one of themost importantpolicy concernsfor any companythat is subjectto regulatorycompliancerequirementsand e-discovery. Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyWhat is the purpose of an email-archiving policy?The vast majority of information created today is sentand received in electronic format. The estimated number ofnon-spam email messages sentworldwide on a daily basis is 25billion, according to Ferris Research, a San Francisco-basedresearch firm that specializesin messaging and collaborativetechnologies.The typical number of emailmessages sent and receivedby the average business user is600 per week, said Ferris Research. An email-archiving policy can help control and managethe unending flow of information by addressing regulatorycompliance, litigation readiness,productivity issues as well asgeneral business needs.As mentioned in Chapter 1,developing an email-archivingpolicy and a successful emailPage 1 Contentsarchiving project require asteering committee to represent all the interests of a company. The email-archiving policy should be a component ofan overall records managementprogram with its own record-retention policies and proceduresthat dictate which emails andattachments to save, how longto save them and when to delete them.In addition, an email-archiving policy should referenceand reinforce other corporatepolicies such as IT policies onacceptable use and security,HR policies relating to code ofconduct, and legal policies andprocedures regarding litigationhold or e-discovery.When evaluating the scopeof an email-archiving policy,companies should considerall users who create, send orWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?receive email messages and attachments in all regions of theworld where the company doesbusiness. The policy should alsoinclude other personnel, suchas contractors and consultants.It should also address transactional information, such asemail headers, summaries andaddresses.Companies should establishemail policies and proceduresfor users that contain guidelines covering acceptable andunacceptable use of email, dataprivacy, email managementand retention, and penalties fornoncompliance.sThe email-archiving policy shouldbe a component of an overallrecords management programwith its own record-retentionpolicies and procedures.Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyWhat qualifies as acceptable use?All companies shouldhave an official ITacceptable-use policy toprovide guidelines forthe usage of computerequipment, networkresources, applications,Internet systems andemail. The emailarchiving policy shouldrefer to the acceptableuse policy and expandupon the areasspecifically related toemail use.Defining the terms of acceptable use offers guidelines andrequirements for personal use, security concerns and confidentialinformation: Personal Use Remind users to exercise good judgment for reasonable personal use of email. Incidental or occasional personal useof email for non-business purposes is generally acceptable. Usersshould know, however, that personal information -- such as personalfinancial transactions -- could be inadvertently captured in the emailarchive. Users must understand the implications of this when usingemail for personal purposes.Users must also be advised about business communications thatare sent over personal email. A 2006 survey by Osterman Researchfound that more than 16% of employees regularly communicate aboutbusiness issues using their personal email accounts. Outside of acomplete ban on personal email, an acceptable-use policy must encourage users to carbon-copy to their corporate account any personalemail containing business information. Security Concerns Caution users about security issues. Attachments, for example, may contain viruses or other potentiallymalicious programs. Confidential Information Provide rules for sending confidential information using tools such as encryption software.The unacceptable-use policy should give users guidelines and re-Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyquirements prohibiting the following uses of email: Sending unsolicited junk mail, advertising or mass mailings Using email for any form of harassment, including those that containany indecent or obscene materials Creating or forwarding chain letters or other pyramid schemes Sending email with inappropriate content, including content that isdiscriminatory, defamatory or threatening. Discriminatory contentincludes references to sex, race, age, disability or religious beliefs PST Files The acceptable-use policy should also state whetherusers can create PST files to store email messages. Some email-archiving products impose quota restrictions to limit mailbox size.These restrictions often force users to create offline PST files to manage and reduce their mailbox size. On the other hand, allowing PSTfiles could create difficulties for e-discovery search-and-collectionefforts and may ultimately increase e-discovery costs if the officialarchive does not include all email.Any businessrecord, includingemail, maybe subjectto discoveryproceedings andlegal actions.s Data Privacy Companies must monitor the data-privacy lawswithin all countries in which they conduct business.Employers have wide-ranging latitude to monitor and access employee email that is sent or received with or without employee knowledge or consent. The email-archiving policy should clearly tell employees that: They should not expect privacy when using company resources for email. Any business record, including email, may be subject to discoveryproceedings and legal actions. Deleted email usually can be recovered and then used in a legal action.Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionAllowing PSTfiles could createdifficulties for ediscovery searchand-collection effortsand may ultimatelyincrease e-discoverycosts if the officialarchive does notinclude all email. Staff roles andresponsibilities
All content and no discovery?Lost in a maze of unmanageable content? Find your way out with Enterprise Vault. It’s a flexible archiving framework thatenables the discovery of content within email, file system and collaborative environments. Reduce costs. Simplify management.Put your discovery fears behind you at www.symantec.com/complianceBE FEARLESS.Copyright 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and Enterprise Vault are trademarksor registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
chapter 2 Defining an email-archiving policyEmail management and retentionCompanies should decidehow to implement and enforceemail management and retention. The email-archivingpolicy must clearly state howand where email records willbe managed, protected andretained according to the corporate retention policy andschedule. The options generallyinclude automated email-archiving systems, manual procedures or some mix of manualand electronic systems andprocesses. Each option has itsadvantages and disadvantages.Understanding a company’scorporate culture helps determine the correct options as wellas the necessary amount ofsupervision and support.For manual procedures, include step-by-step email-retention instructions for users.These instructions cover organizing, storing, maintaining,accessing and deleting email.Include user training to ensurepolicy enforcement. Companies must remember, however,that even with education andtraining, relying on users toRelying on users to properly identify,manage and retain their own email candrain corporate productivity.Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?properly identify, manage andretain their own email can draincorporate productivity. If usersdo not follow directions, thecompany can face considerablelegal risk.Because of this risk factor,more and more companies areadopting automated productsfor a consistent, documentedand enforceable means ofmanaging email. For an automated email-archiving solution, provide an overview of thehardware and software environment, the location of the emailservers, the determination ofwhether or not a journaling orbatch process is being used,and the backup or data-recovery processes that are in placefor the archive.The email-archiving tool candefine record-retention periodsfor email. The amount of flex-Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyibility and number of optionsvary by vendor and product.The tool should document howit assigns retention periods,such as by department, keywords or individual names.Available features and optionscan include:Automatically classifyingand archiving email based oncontent and metadataImplementing retentionpolicies based on attachment,message, folder, age, size andkeywordAvoiding the archiving of junkmail or irrelevant contentWarning users about flaggeditems of concernApplying transparent end-usermanagement by company,department or userAn email-archiving policyshould explain how it handlesexceptions to retention settings. For example, a user mayreceive an email that shouldbe retained for a long time — alegal contract, for example. Anemail-archiving policy mustprovide instructions on how tohandle information so it is notautomatically deleted duringor after the standard retention period. Exceptions canbe handled by electronic ormanual processes. Email thatqualifies as an exception can beelectronically moved or savedin a folder on a shared server aslong as the data on the server ismanaged according to a corporate record-retention schedule.Users may also print out emailsand file the paper copies.Enabling granular retentionLogically combining criteria toinclude or exclude informationApplying different retentionstandards for different users orfoldersAn email-archiving policy must provideinstructions on how to handle information soit is not automatically deleted during or afterthe standard retention period. Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyStaff roles and responsibilitiesTo ensure compliance,provide managers andusers with trainingand support. Usersshould understandwhat a business recordis and how to use theemail-archiving toolto manage and accesstheir records.Create an email-archiving policy that defines the roles and responsibilities of users, managers, IT staff, records management staff andthe legal department in managing and enforcing the policy:Employees Distribute a copy of the policy for all employees, including contractors and consultants, to read and sign. Include an acknowledgement stating that they understand the policy and agree to comply with it.Managers Managers must ensure that they and their employeesmanage email records in accordance with the policy.IT staff The IT department supports the email-archiving tool. TheIT department also sets the retention and disposition periods withinthe archiving tool to ensure policy compliance.Records management staff The records management staffgives and collects input on changes to the policy. The records management staff also enforces compliance and usually conducts employee and manager training as well.Legal department staff The legal department staff reviews andupdates the email-archiving policy. Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
chapter 2 Defining an email-archiving policyUsers must know that violating eitherlegal or company email policies canlead to penalties. Companies, in turn,should create an internal audit processto document and enforce compliance.Auditing Make compliance mandatory for allusers and include compliance in an internal auditreview.Violations and penalties Let users knowthat abusing email policies can lead to correctiveactions, including termination of employment.Review the email-archiving policyannually to ensure compliancewith new regulations or changesto any old regulations.Establish a procedure for documenting thechanges to the email-archiving policy. Includereferences to other related policies that requireupdating based on changes to the email-archivingpolicy.Review the email-archiving policy annually to ensure compliance with new regulations or changesto any old regulations. Ideally, a review committeeevaluates changes and signs off on all approvals.The review committee should include representatives from the legal department, the humanresources department, the records managementdepartment and the IT department.Provide an appendix that defines all relevantterms in the policy document. Definitions shouldinclude business records, retention periods, transitory records and convenience copies.Email is an essential business communicationtool. A clear, easily understandable policy will helpall employees use email appropriately. Definingand archiving email business records should beone of the most important policy concerns for anycompany that is subject to regulatory compliancerequirements and e-discovery. Successful retentionand archiving of email has now become a differentiator in both the courtroom and the boardroom.10Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
J [ b[]Wb dl[ij ]Wj ed i Yedd[Yj[Z je j [ Z iYel[ho h[gk[ij i Yedd[Yj[Z je YecX d] j hek] j[hWXoj[i e\ WhY l[Z [cW b i Yedd[Yj[Z je oekh Yb[Wd X bb e\ [Wbj i Yedd[Yj[Z je IocWdj[Y ;dj[hfh i[ LWkbj" j [ Yecfh[ [di l[ WhY l d] iebkj ed j Wj cWa[i cWdW] d] [cW b \Wij" [\Ó Y [dj" WdZ j ehek] 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and Enterprise Vault are registered trademarks of Symantec Corporation.JWa[ Yedjheb e\ oekh ceij cfehjWdj Z ] jWb Wii[ji Kf je - e\ oekh YecfWdoÊi dj[bb[YjkWb fhef[hjo i d [cW b eh dijWdj c[iiW] d] JeZWo" W jof YWb [: iYel[ho h[gk[ij YWd Yeij ?J Z[fWhjc[dji Yekdjb[ii ekhi WdZ ZebbWhi je h[Yel[h j [ if[Y Ó Y hWd][ e\ c[iiW][i ed j c[ IocWdj[Y ;dj[hfh i[ LWkbj \WY b jWj[i j [ b[]Wb WdZ Xki d[ii X[ij fhWYj Y[i e\ ijeh d]" cWdW] d]" WdZ Z iYel[h d] [cW b WdZ ej [h [b[Yjhed Y Ó b[i Ie oekÊh[ \h[[ je \eYki ed j [ X ] f Yjkh[ B[Whd ceh[ Wj iocWdj[Y Yec%[dj[hfh i[lWkbj9edÓ Z[dY[ d W Yedd[Yj[Z mehbZ 11
chapter 2 Defining an email-archiving policyAdditional resourcesfrom SymantecAbout the authorLearn more aboutSymantec Enterprise VaultSymantec Enterprise Vault 7.0 provides asoftware-based intelligent archiving platformthat stores, manages and enables discovery ofcorporate data from email systems, file serverenvironments, instant messaging platforms andcontent management and collaboration systems.For a variety of white papers,case studies, testimonialsand more, click here.Kathryn Hilton has worked intechnology for more than 20 yearsas an industry analyst for GartnerGroup and for several large storagecompanies. Hilton received abachelor of arts degree in businesseconomics from the University ofCalifornia, Santa Barbara, anda master’s degree in businessadministration from the University ofColorado Leeds School of Business.She is currently a senior analyst forpolicy at Contoural Inc., a provider ofbusiness and technology consultingservices that focuses on litigationreadiness, compliance, informationand records management, and datastorage strategy.12Page 1 ContentsWhat is the purpose ofan email-archiving policy?What qualifies asacceptable use?Email managementand retentionStaff roles andresponsibilities
procedures for archiving email, businesses face risks and penalties that can be severe. Defining an email-archiving policy Qby Kathryn Hilton Defining and archiving email business records is one of the most important policy concerns for any company that is subject to regulatory compliance requirements and e-discovery. chapter 2
