17799 security standard and document retention
There has been a lot of talk recently in the media about the need for proper electronic document retention. The ECT act introduced the principle that electronic documents have equal value in law to any other documents, this has resulted in it now being important to know which documents to save and what can be safely deleted. This is not a simple question to answer, and many business people especially have found that they get very conflicting answers to this question. There are some who advocate deleting everything so that they will be less problems should litigation occur, while there are others who argue quite the contrary that this could prejudice one and furthermore that this could lead to the situation of breaking the law in terms of legal requirements to store documents.
Short answer to this question is that it depends entirely upon a number of different factors, the nature of the business in question, the type of information being electronically stored, as well as many other factors. One good solution is to look towards the 17799 information security management standard. The standard, which is a South African National standard as well as an international ISO standard, can well prove to be a very good starting point for answering these questions.
The standard relies upon understanding what information assets your business has, and having created in information assets register, is then based upon the risk assessment done on these information assets. By understanding what information in assets a business has, and classifying these assets this can be the starting point of the document retention policy implementation program. Because the standard relies upon understanding these assets and classifying them, these guidelines can likewise be used as the starting point of the document retention policy within the business.
The standard outlines broad principles and control objects for information security, which individual companies can choose to subscribe to depending upon the risk analysis performed and the level of risk of that the business is prepared to accept. Because of this implementing the standard does not have to be extremely difficult, but its implementation can be tailored to the specific needs of each individual business. Even if the company does not wish to go the whole 9 yards and become certified under the standard, by using the standard as the level of best practice, and implementing all security and elaw related actions in compliance to the standard, this can be seen as proactive management best practice and can be sure to be a major contributor towards corporate good governance in this regard.
The controls of the standard also give a number of important pointers towards good document retention policy. For example:
A.5.1 accountability for organisational assets, which also includes controls for information classification guidelines and information handling and labelling.
A 12 l compliance with legal requirements, including dart protection intellectual property and so forth
A 8 6 media handling and security controlling movable media and disposal of such,
A 12 collection of electronic evidence
The second question that must come to mind with electronic recordkeeping, is this stored correctly to be electronic evidence when necessary? In this regard using the 17799 standard can be an enormous asset to the business. By showing that electronic records have been kept securely, and that there is little risk that they have been tampered with all changed, the key criteria for darter acceptance as evidence, data confidentiality, data integrity and data availability can be seen to be complied to. In legal terms showing that the data has been stored accessed and retrieved in compliance to an object of international standard and must be compelling evidence to any court that such records must be acceptable in terms of the ECT act.
So by using the ISO/SANS 17799 information security management standard as a guide for best practice, a business will be able to implement an electronic document retention policy, and be sure that in doing so it is complying to best practice. Not only that but compliance in this regard is a very good tool for reducing the electronic Law risks that a business faces. So before spending even more on data backup systems, and other expensive technological solutions, it is best the business take stock of its position, and examined critically what records it needs to retain and what does not need. Those it needs to retain it needs to do so in a secure manner that can be used legally if necessary, while destroying those that create risks to the business without benefiting it. By using a standard such as the 17799 these questions can be answered and the required steps be taken all within an objective code of practice that is evidence of best practice and corporate good governance in this regard.
31 Mar 2006
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - firstname.lastname@example.org