Another post from our Reshaping Information Security MarketInsight study.  This section covers the topic of email archiving and retention – something all companies regardless of industry are struggling with both from a records management and compliance perspective.  This part of the discussion pointed to the need to separate high-value from low-value email correspondence prior to archival and do so in a way that was practical, auditable, and accurate. 

Archiving & Retention

One area that was consistently at the top of the list interest-wise was the topic of email archiving and retention.  There was a great deal of variance in both policy and clarity as it relates to what a company should be doing.  One participant’s company policy is to not get rid of email….ever.  They have records dating back to 1991 in various formats and locations.

There was general agreement that email is used as a document storage system and that any limitation on the size of an inbox or the amount of time an email record is stored creates angst and negative feedback from the user community.  In fact, one company was struggling with a mandated 7 day retention policy after which email was deleted as a way to mitigate litigation risk, but the company used it for order that normally ran 3-4 months in lead time and all subsequent purchasing negotiations.  In this case email stopped being “transitory” business communication and was a primary generator of business records – although the line between the two is very gray.  One recurring them was to have a defensible policy in place that is consistent and does not change as a result of or during a possible inquiry or investigation.  Also, you must go with the strongest/most restrictive rule that applies to you as a starting point for retention.

Several firms placed a 90 day delete policy on the Inbox so that if the user wanted to keep a copy or if it was a formal business record, they were responsible for moving it (a managed folders approach).  The downside to this is that the user must make the retention decisions.  Yet another company sponsored “spring cleaning” exercises as a way to clean out old emails and paper content that was no longer needed.

Attempts to utilize public folders have proven fruitless and overall email storage is out of control with volumes continually increasing.  Trying to implement a classification schema is difficult because without automation, the end-user is left to make the decision.  In fact, one participant compared any attempts to reduce folder sizes to squeezing a balloon on one end – all the air just goes to the other side.  So limiting mailbox sizes merely increases .pst file sizes and nothing gets deleted, just moved.

Even though storage is deemed to be “cheap”, the costs of maintaining and managing it are not so unlimited storage is not an alternative.  Even duplication can create serious headaches as the same emails are stored over and over again.  Categorization technology that promises to “auto-magically” organize email into the buckets you want is “just not there yet.”