Security pros need help from HR, internal audit and some unusual suspects
In an earlier post, I wrote this, but one of the greatest security advisors of our time (IMHO) added his thoughts.
A CISO at a Fortune 500 telecommunications company in the US said his organization is improving three classes of security activity: prevention, detection and corrective action. In a phone conversation he reminded me that a few years ago, data classification was all the rage. But the point was well taken, he said. We all needed to step back and say "wait a minute. What are we really trying to protect here?" One key to success he discovered was asking his legal department for help. "Take a look at the records retention guidelines that legal departments crank out. You’ll find an excellent starting point for identifying the most important information in your organization." It is just a start, but it’s better than most IT security folks can do by themselves. “
[commentator] Law departments, like accounting departments, have their own agenda. Law will tell you to “never save anything!” Their logic is collecting and saving too many documents which can bite you in the ass makes the discovery process in litigation a veritable time bomb—cigarette companies agree!
On the other hand, the lower you are in an organization the more important the proofs are of your operational metrics, accomplishments, and disappointments, and most of these are documents.
My point is adequately assessing the risks and creating an effective records retention policy requires “agenda soup”—a combination of perspectives from Law, Human Resources, Corporate Communications, Accounting, and Audit departments.