Educause Security Discussion mailing list archives
Re: Email Archiving/Enterprise Information Archiving
From: Chris Boniforti <CBoniforti () LYNN EDU>
Date: Thu, 22 Jul 2010 11:01:19 -0400
We are implementing Vault this Summer/Fall. Taking a phased approach, the IT department has been using it for about 2 months with very little complaints. We decided to archive all emails for everyone after 90 days and then delete archive based on year based groups, example we have a 1 year, 3, 5, 7 and 10 year groups. Email is accessible the same way just stored off exchange once archived. To the user there is no difference between non-archived email and archived. The IT department is in the 3 year group, meaning all emails are kept for 90 days and then archived for three year. After three year and 90 days emails are deleted automatically. We are planning to consult with all departments to see which yearly group they fit best. Some special users will also have access to a "Never Delete Folder" (This is granted by Legal office and not IT) We also are importing all personal folders and migrating them into the inbox. (The product does this quiet nicely) The nice thing with this is that it now makes personal folders available through OWA and SmartPhones. The product is a bit pricey but worth it. It has the ability to take on Files/SharePoint...not doing this yet....i am pretty sure its a separate and not cheap addition. Thanks, Chris Boniforti CIO - Lynn University ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly [Ken.Connelly () UNI EDU] Sent: Thursday, July 22, 2010 10:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Email Archiving/Enterprise Information Archiving If you're an Exchange shop, I believe that Symantec has a product, Vault, to help with this. I don't think it could be classified as "cheap" though. I'm not a vendor, nor a (Vault) customer, but I'm aware of the product. YMMV. - ken Jesse Thompson wrote:
I don't think that you are wrong, but there is a strong head wind. It costs less to store all messages indefinitely than it costs to have each employee spend the time cleaning and organizing their mailboxes. Then consider the administrative cost involved with coercing/reminding staff into cleaning mailboxes. Then there is the cost in recovering important purged messages that were not saved due to [insert reason here]. Multiply this by thousands of employees, and e-discovery lawyers start to look cheap. Costs aside. People are just plain lazy, or they are pack rats. I'm one of them. Didn't someone prove that the people with the messiest desks are the most productive? Is it too far of a stretch to reason that a clean-email policy might make your organization less productive? Perhaps your idea might work if there was an intermediate stage where mail was automagically moved to a place where the messages were still easily accessible (and recoverable by the employee) for an extended period of time before they are purged. Although, I'm not sure if this would solve your e-discovery woes. Jesse Thompson (an email admin) University of Wisconsin-Madison On 07/21/2010 04:27 PM, Clifford Collins wrote:We are in the midst of sorting out what to do with e-mail and other sensitive documents in terms of data retention and destruction. I am interested in knowing why you permit folks to keep e-mail indefinitely. It sounds like an e-discovery nightmare and mis-application of e-mail. Let me give you my context. If you were still dealing with U.S. postal mail then would people be leaving the original correspondence folded back in their envelopes, stored in cartons with labels like "vendors" or "personal" on them, sitting on their desk? Probably not. They would file them in folders in a personal or deprtmental filing cabinet (you remember the rows of filing cabinets) or just throw them away (or maybe shred them). As the filing cabinets begin to bulge with documents the staff would periodically be forced to clean them out (perhaps according to some retention policy). Because we allow the bad habit of not saving important correspondence in a folder on our departmental share where it belongs but, instead, leave it in a folder in our e-mail, our mail system has become our personal and departmental filing cabinet. After all, it is too easy to just leave it there instead of putting it where the department can find it! And thus e-mail accounts bloat with stuff that doesn't get purged. And when we reach our storage quota (the filing cabinets are full) we beg for more space because disks are cheap! And our legal counsel gets heartburn! Wouldn't it be better to require people to save important documents to the departmental or personal share they are assigned and automagically expunge all messages that are more than six months old? That way, people are forced to decide whether to keep it. Otherwise, it will be trashed according to the University's retention and destruction schedule. Also, the departmental data steward has to periodically review what is in the departmental share and expunge useless or expired information that might violate that same policy and possibly become fodder for an e-discovery. No different from clearing out old stuff from the physical filing cabinets. Sorry for the flow of consciousness. We had a close brush with e-discovery a while back and woke up to the cost of diverting our IT department to the arduous task of restoring EVERYTHING from years back and finding every message that pertained to the subject of the litigation. Big $$$$$$!! and stopping everything else in IT for several weeks or even months! We began to question whether backups should be "ooops protection" for the careless staff member or should exist for disaster recovery only and merely go back two major backup sets (fulls and incrementals). This way staff are responsible for taking the "correspondence" they receive out of the "envelope" (the e-mail system) and filing it in the appropriate "filing cabinet" (shared drive). The shares get backed up regularly and can be restored if something important got deleted but would involve the data steward (and a little bit of grief for the user) as it should. Going back to the USPS analogy, imagine the look you would get from your postal carrier if you asked him to give you a backup copy of a letter he delivered two days ago! Why do we expect this of our e-mail services? And think of the savings in backups! I don't know. Am I making any sense? We've allowed people to embrace the wrong analogy with the way they use e-mail. It is a message delivery mechanism and not a document storage mechanism (despite the tools they find in the mail software). We need to retrain folks to file important stuff in the right place and not leave "boxes of mail" in their opened envelopes sitting around on our desks (perhaps a poor analogy) waiting for one to accidentally slide into the trash or worse, get discovered by a litigant's lawyer who relishes e-mail pack rats. If I am wrong then somebody set me straight or put me out of my misery! Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product" ----- Original Message ----- From: "Patrick Feehan" <Patrick.Feehan () MONTGOMERYCOLLEGE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Wednesday, July 21, 2010 4:22:52 PM GMT -05:00 US/Canada Eastern Subject: [SECURITY] Email Archiving/Enterprise Information Archiving We are in the process of evaluating an e-mail archiving solution for Montgomery College. Our initial reason to consider e-mail archiving was to meet the storage challenge and email retention issues. We use Exchange, Outlook, and Outlook Web Access. We note, in the process, that Gartner is retiring the E-Mail Active Archiving Magic Quadrant and replacing it with a new Magic Quadrant for Enterprise Information Archiving. Is the concept of email archiving as a siloed activity already past its prime? Have any of your schools using Exchange implemented an e-mail archiving solution? If so, did you look for a tool that goes beyond e-mail to assist with e-discovery, legal holds, SharePoint files, electronic information archiving, records management policies, etc? If yes, which features/capabilities did you decide were important? Was ability to grow into enterprise information archiving important to you? Thanks in advance for any thoughts you can offer. */Patrick J. Feehan JD, CIPP /*Director of IT Privacy & Cybersecurity Compliance Montgomery College (240) 567-3087 patrick.feehan () montgomerycollege edu <mailto:Patrick.Feehan () montgomerycollege edu>
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Email Archiving/Enterprise Information Archiving Feehan, Patrick (Jul 21)
- <Possible follow-ups>
- Re: Email Archiving/Enterprise Information Archiving Clifford Collins (Jul 21)
- Re: Email Archiving/Enterprise Information Archiving Jesse Thompson (Jul 22)
- Re: Email Archiving/Enterprise Information Archiving Ken Connelly (Jul 22)
- Re: Email Archiving/Enterprise Information Archiving Chris Boniforti (Jul 22)
- Re: Email Archiving/Enterprise Information Archiving Jesse Thompson (Jul 22)