Managing Media Storage and Record Retention

Retention of records and storage media is often a legal requirement. This topic looks at the issue of access to archived data being difficult or impossible, and thereby restricting your organisation's ability to meet its legal obligations.

It is important to be aware of the pitfalls posed by obsolete or redundant storage technologies, limiting your organisation's ability to access data.

To view the related Policy click      

  • Where your primary business records are inadequately stored and safeguarded, they are susceptible to modification, deletion or corruption, thereby destroying the integrity of the contents. This could threaten the organisation's ability to meet any legal / regulatory obligations regarding the retention of records.

  • Identify critical documents and files, and maintain a register of their location and ownership. Consider the register itself a 'secret' document and safeguard it accordingly. See Classifying Information and Data.
  • Store important records in secure and protected offsite locations to reduce the risk of information loss. See Remote Data Stores.
  • You may not be able to read the information stored on 'old' media (e.g. tape cartridges) because your organisation has adopted more modern technologies. This could have serious implications for your organisation.

    N.B. This is a real risk that has yet to be fully quantified. With the accelerating evolution of operating systems, processor technology, and software, it is uncertain which of the late 20th century and early 21st century 'standards', will still be in use, say, in 10 years time if the need arises to restore pre-2000 data files.

  • Explore the possibility of converting the data files in question to a standard format, e.g. ASCII or RTF.
  • Where conversion is not feasible (e.g. with certain database files), archive a copy of the software together with any documentation to decrease the risk of restoration failure.
  • Recognise that the storage media itself may become obsolete. Accordingly, ensure that you retain both the software and the hardware to read it.
  • Periodically, copy the contents of old media onto the media which matches your current operating environment. But note that this process is not without risk in itself.
  • The lack of an adequate retention policy for different categories of information may mean that you do not meet regulatory or statutory requirements, and could potentially result in legal action.

  • Identify the different types of information and data files that your organisation processes, such as business, accounting, legal, etc.
  • Decide upon an appropriate record retention strategy for each different category of files.
  • Seek specialist advice regarding specific record types, e.g. financial and accounting records, personnel records etc.
  • Do not forget your obligations under the UK Data Protection Act or the local equivalent.
  • Lack of knowledge of the regulations for the acquisition and use of cryptographic systems may lead to prosecution under a number of countries' laws.

  • Always seek legal advice where cryptography is involved, especially if you need to send information across national borders.
  • Different rules and regulations apply to different countries which means that each instance must be treated individually.
  • Specific licence requirements are best managed via your legal representative.
  • Following expiry of the agreed retention period, the data should be made available for either destruction or for possible further retention, according to business need. However, further retention could contravene Data Protection Act principles.

  • A periodic review of archive material should take place.
  • Any destruction of media should be carried out in a manner which safeguards the confidentiality of the information. See Storing and Handling Classified Information.
  • If encryption has been used to protect sensitive records, and the controls over the cryptographic keys is reduced, future access to the material may be jeopardised.

  • A robust key-management system must be implemented, the precise details of which will vary depending upon the supplier of your encryption system. See also Public Key Infrastructure.
  • Ensure that at least two staff who work together, and their respective deputies, are trained to create, store, activate, de-activate and destroy keys.
  • Produce an audit log of all key-management activities for review by the Security Officer.
  • Use a fire safe (or equivalent) with dual physical key controls to safeguard the current cryptographic key. Place 'old' keys in a remote store for continued retention.
Previous PageTop of this pageNext Page

Information Security Policies from US$595


Use of the guidance contained within RUSecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word


Next PageUpPrevious Page