Re: Email Archiving/Enterprise Information Archiving

[Clifford Collins <collinsc () FRANKLIN EDU>]

We are in the midst of sorting out what to do with e-mail and other sensitive documents in terms of data retention and 
destruction. I am interested in knowing why you permit folks to keep e-mail indefinitely. It sounds like an e-discovery 
nightmare and mis-application of e-mail. 

Let me give you my context. If you were still dealing with U.S. postal mail then would people be leaving the original 
correspondence folded back in their envelopes, stored in cartons with labels like "vendors" or "personal" on them, 
sitting on their desk? Probably not. They would file them in folders in a personal or deprtmental filing cabinet (you 
remember the rows of filing cabinets) or just throw them away (or maybe shred them). As the filing cabinets begin to 
bulge with documents the staff would periodically be forced to clean them out (perhaps according to some retention 
policy). 

Because we allow the bad habit of not saving important correspondence in a folder on our departmental share where it 
belongs but, instead, leave it in a folder in our e-mail, our mail system has become our personal and departmental 
filing cabinet. After all, it is too easy to just leave it there instead of putting it where the department can find 
it! And thus e-mail accounts bloat with stuff that doesn't get purged. And when we reach our storage quota (the filing 
cabinets are full) we beg for more space because disks are cheap! And our legal counsel gets heartburn! 

Wouldn't it be better to require people to save important documents to the departmental or personal share they are 
assigned and automagically expunge all messages that are more than six months old? That way, people are forced to 
decide whether to keep it. Otherwise, it will be trashed according to the University's retention and destruction 
schedule. Also, the departmental data steward has to periodically review what is in the departmental share and expunge 
useless or expired information that might violate that same policy and possibly become fodder for an e-discovery. No 
different from clearing out old stuff from the physical filing cabinets. 

Sorry for the flow of consciousness. We had a close brush with e-discovery a while back and woke up to the cost of 
diverting our IT department to the arduous task of restoring EVERYTHING from years back and finding every message that 
pertained to the subject of the litigation. Big $$$$$$!! and stopping everything else in IT for several weeks or even 
months! We began to question whether backups should be "ooops protection" for the careless staff member or should exist 
for disaster recovery only and merely go back two major backup sets (fulls and incrementals). This way staff are 
responsible for taking the "correspondence" they receive out of the "envelope" (the e-mail system) and filing it in the 
appropriate "filing cabinet" (shared drive). The shares get backed up regularly and can be restored if something 
important got deleted but would involve the data steward (and a little bit of grief for the user) as it should. Going 
back to the USPS analogy, imagine the look you would get from your postal carrier if you asked him to give you a backup 
copy of a letter he delivered two days ago! Why do we expect this of our e-mail services? And think of the savings in 
backups! 

I don't know. Am I making any sense? We've allowed people to embrace the wrong analogy with the way they use e-mail. It 
is a message delivery mechanism and not a document storage mechanism (despite the tools they find in the mail 
software). We need to retrain folks to file important stuff in the right place and not leave "boxes of mail" in their 
opened envelopes sitting around on our desks (perhaps a poor analogy) waiting for one to accidentally slide into the 
trash or worse, get discovered by a litigant's lawyer who relishes e-mail pack rats. 

If I am wrong then somebody set me straight or put me out of my misery! 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product" 

----- Original Message ----- 
From: "Patrick Feehan" <Patrick.Feehan () MONTGOMERYCOLLEGE EDU> 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Sent: Wednesday, July 21, 2010 4:22:52 PM GMT -05:00 US/Canada Eastern 
Subject: [SECURITY] Email Archiving/Enterprise Information Archiving 




We are in the process of evaluating an e-mail archiving solution for Montgomery College. Our initial reason to consider 
e-mail archiving was to meet the storage challenge and email retention issues. We use Exchange, Outlook, and Outlook 
Web Access. 



We note, in the process, that Gartner is retiring the E-Mail Active Archiving Magic Quadrant and replacing it with a 
new Magic Quadrant for Enterprise Information Archiving. Is the concept of email archiving as a siloed activity already 
past its prime? 



Have any of your schools using Exchange implemented an e-mail archiving solution? If so, did you look for a tool that 
goes beyond e-mail to assist with e-discovery, legal holds, SharePoint files, electronic information archiving, records 
management policies, etc? If yes, which features/capabilities did you decide were important? 



Was ability to grow into enterprise information archiving important to you? 



Thanks in advance for any thoughts you can offer. 







Patrick J. Feehan JD, CIPP 
Director of IT Privacy & Cybersecurity Compliance 
Montgomery College 
(240) 567-3087 
patrick.feehan () montgomerycollege edu