Educause Security Discussion mailing list archives
Re: archiving email
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Thu, 16 Jul 2009 15:44:01 -0500
If you have Exchange 2007 and the eCAL, you can use the Message Records Management functionality that comes with Exchange to do this. You define managed folders on the server, apply retention policies to them, and then associate those to users individually via managed folder policies. You can also put quotas on the folders, specify that any message dropped in the managed folder is to be journaled elsewhere (e.g. perhaps a long term archiving tool), and define the behavior when the retention policy expires (if ever). Outlook 2007 and OWA are able to show the managed folders as well as their settings to the client. It's up to the end user to do the actual classification of the messages though. If you wanted to do this automatically you'd still need an additional tool from another vendor. I pasted a screenshot below from Outlook showing one I just made: Thanks, Brian Desmond brian.desmond () morantechnology com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Thursday, July 16, 2009 3:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] archiving email I am curious about this as well since I've been looking at this again recently. I looked at several school policies that are available via google: "site:.edu email retention policy" In general what I saw were retention periods ranging from 180 days to 4 years. Public institutions had the longer periods as they sometimes had state public records retention requirements. Seemed like the private institutions favored the shorter retention periods. A few sites broke their email down into classifications such as administrative, fiscal, general, or ephemeral The other part I was interested in was the mechanism for retention. In the cases I saw, the user is expected to manually implement the retention of the documents, usually by archiving documents, printing documents, or sending them to a retention email address. I didn't see any indication that schools were implementing systems to automatically retain all records for a period of time (I saw one or two schools that seemed to be automatically deleting anything not archived after the retention period) or based on other criteria such as keywords. To me it seems like relying on users to archive messages that may be relevant for litigation may be a weak spot in a retention plan. Once notice of legal action is received this seems easier to deal with, and I've seen a few response plans indicate the need to image/copy machines, email, etc when notice is received. Is the manual nature of retention a concern that others have with their email retention policies? The other part I wondered about is, once a document is archived or printed, what is the retention period for those documents? I didn't see any indication of how that's being handled. I know that here, when people archive an email message, it's probably going to stay in the archive forever or until their storage is full. In my mind that would violate a records retention policy that states email should only be kept for X days or years when some of it is archived and kept for longer than the retention period. Anyone have any advice on these issues? Thanks, Zach Jansen -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 7/16/2009 at 10:29 AM, in message
< <mailto:66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas ed u> 66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas edu>, Barbara Keim < <mailto:bkeim () STCHAS EDU> bkeim () STCHAS EDU> wrote:
We are developing a policy related to archiving college email
including how long to store the information in case it is needed in
the future for a legal discovery process.
Could you please share samples of your policies including how long you
are saving emails.
Thank you.
Best regards,
Barbara Keim, Ph.D.
VP Technology, Research, and Planning St. Charles Community College
St. Peters, MO 63011
636-922-8573
P Please consider the environment before printing this e-mail.
Current thread:
- archiving email Barbara Keim (Jul 16)
- <Possible follow-ups>
- Re: archiving email Tupker, Mike (Jul 16)
- Re: archiving email Harry E Flowers (flowers) (Jul 16)
- Re: archiving email Zach Jansen (Jul 16)
- Re: archiving email Brian Desmond (Jul 16)
- Re: archiving email Terence Ma (Jul 16)
- Re: archiving email Walters, Caroline (cw8de) (Jul 17)