Re: archiving email

[Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>]

If you have Exchange 2007 and the eCAL, you can use the Message Records
Management functionality that comes with Exchange to do this. You define
managed folders on the server, apply retention policies to them, and then
associate those to users individually via managed folder policies. You can
also put quotas on the folders, specify that any message dropped in the
managed folder is to be journaled elsewhere (e.g. perhaps a long term
archiving tool), and define the behavior when the retention policy expires
(if ever).



Outlook 2007 and OWA are able to show the managed folders as well as their
settings to the client. It's up to the end user to do the actual
classification of the messages though. If you wanted to do this
automatically you'd still need an additional tool from another vendor. I
pasted a screenshot below from Outlook showing one I just made:







Thanks,

Brian Desmond

brian.desmond () morantechnology com



c - 312.731.3132



Active Directory, 4th Ed - http://www.briandesmond.com/ad4/

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian





-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen
Sent: Thursday, July 16, 2009 3:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] archiving email



I am curious about this as well since I've been looking at this again
recently. I looked at several school policies that are available via google:
"site:.edu email retention policy"



In general what I saw were retention periods ranging from 180 days to 4
years. Public institutions had the longer periods as they sometimes had
state public records retention requirements. Seemed like the private
institutions favored the shorter retention periods. A few sites broke their
email down into classifications such as administrative, fiscal, general, or
ephemeral



The other part I was interested in was the mechanism for retention. In the
cases I saw, the user is expected to manually implement the retention of the
documents, usually by archiving documents, printing documents, or sending
them to a retention email address. I didn't see any indication that schools
were implementing systems to automatically retain all records for a period
of time (I saw one or two schools that seemed to be automatically deleting
anything not archived after the retention period) or based on other criteria
such as keywords. To me it seems like relying on users to archive messages
that may be relevant for litigation may be a weak spot in a retention plan.
Once notice of legal action is received this seems easier to deal with, and
I've seen a few response plans indicate the need to image/copy machines,
email, etc when notice is received. Is the manual nature of retention a
concern that others have with their email retention policies?



The other part I wondered about is, once a document is archived or printed,
what is the retention period for those documents? I didn't see any
indication of how that's being handled. I know that here, when people
archive an email message, it's probably going to stay in the archive forever
or until their storage is full. In my mind that would violate a records
retention policy that states email should only be kept for X days or years
when some of it is archived and kept for longer than the retention period.



Anyone have any advice on these issues?



Thanks,



Zach Jansen





--



Zach Jansen

Information Security Officer

Calvin College

Phone: 616.526.6776

Fax: 616.526.8550



> > > On 7/16/2009 at 10:29 AM, in message

<
<mailto:66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas ed
u> 66CA77B6F1A6AE44B6EC941464FFB31C611A481C8E () EXCHCLUSTER scc stchas edu>,

Barbara Keim < <mailto:bkeim () STCHAS EDU> bkeim () STCHAS EDU> wrote:

> We are developing a policy related to archiving college email

> including how long to store the information in case it is needed in

> the future for a legal discovery process.

>

> Could you please share samples of your policies including how long you

> are saving emails.

>

> Thank you.

>

> Best regards,

>

>

> Barbara Keim, Ph.D.

> VP  Technology, Research, and Planning St. Charles Community College

> St. Peters, MO  63011

> 636-922-8573

>

>

> P Please consider the environment before printing this e-mail.