Record Management, Retention, and Destruction Policy

A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
• Scope
• Responsibilities
• Record Management
• Compliance and Enforcement
• Email Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule

You can download the Table of Contests and selected pages for this policy template.

Backup and Backup Retention Policy

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 formats and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template

Below is a table from the policy.

Typical data disaster that occur and should be considered when implementing a backup and retention policay are:

• Pulling the wrong drive. While trying to replace a failed disk in a RAID array, a healthy disk is accidently removed.
• Reformatting a disk. During a server migration, the wrong SAN LUN is accidently reformatted.
• Restoring corrupt/old backup data. A server containing a business-critical database is deleted by mistake and is restored with a corrupt or incomplete backup prior to realizing the backup is not sound.
• Rebuilding a bad array. Following a multiple drive failure in a RAID array, an attempt to force the failed drives back online and rebuild the configuration is made, whereby damaging or corrupting the data on the array.
• Deleting data. Files, volumes, virtual machines or a SAN LUN is deleted by accident and there is no backup or the backup is old or corrupt.

Blog and Personal Web Site Policy Template - Blog Policy, Procedures and Guidelines

With the advent of blogs, there is a need to set rules of the road for the use of blogs by employees, contractors, agents, supplies and others.  This sample blog policy template contains specific policy statements on what can and can not be done via blogs.  There are 13 specific guidelines defined as specific guidelines for personal web sites and blogs which are on your enterprise's domains and those on are on domains outside of your enterprise's control.

The policy template comes in word format and can easily be modified to meet the specific requirements of any size enterprise.

Internet, E Mail, Mobile Device, Electronic Communication, and Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal
• E-mail and Business Records
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included are these ready to use forms

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

Sensitive Information Policy

Sensitive Information Policy defines how to treat Credit Card, Social Security, Employee, and Customer Data.
 

This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data.  The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

Travel and Off-Site Meeting Policy

Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is four page in length and covers:

• Data and application security
• Minimize attention
• Shared public resources
• Off-site meeting special considerations

Things to you need to do to make an off site meeting successfuL

• Set clear objectives. The worst mistake you can make is neglecting to set key objectives for your off-site meeting, just because you want everyone to “relax.” Nothing will get accomplished, and you’ll end up with a group of bored, frustrated employees who will resent you for not respecting their time.
  
  
• Choosing the right meeting site
  Remember that an off-site meeting is meant to “shake things up.” If your office is located in a busy downtown area, don’t hold your meeting in another crowded urban location. Choose a site that provides employees with a new experience. If you work in the city, take them somewhere rural and relaxing; if your office is located in the suburbs, employees might enjoy a trip to a bustling city center.
  
  
• Schedule just enough to be accomplished
  Don’t hold your employees hostage at the meeting site by trying to accomplish too much in one day. Make sure the meeting doesn’t cut into people’s evening activities or family time. You can’t solve the entire year’s problems with one daylong retreat, so don’t even try. However, if the off-site meeting encompasses two days, the evening between can be a good time for a fun activity.
  
  
• Publish an agenda beforehand
  Be careful not to mislead your employees with promises of relaxing outdoor activities, only to transform into a corporate drill sergeant who puts them through a series of grueling trust-building exercises all day. Be clear about your intentions from the start.
  
  
• Schedule meetings during normal working hours
  Just because you can get a cheaper hotel or convention center rate, it’s always a bad idea to plan your off-site meeting around weekends or holidays, which will make attendance a hardship for your employees. Also avoid days when there might be other important things going on within your company.
  
  
• Hold meeting at site where you can work
  When booking your site, inquire what other events or company meetings might be scheduled for the same day. You don’t want the distractions of a raucous wedding party or other large group sharing your space or causing delays in the dining room.
  
  
• Have time to interact
  Don’t turn the day into a PowerPoint marathon or fill it with endless speeches by the boss. The energy will be sucked right out of the room in no time. Keep the day active and engaging, with opportunities for all employees to participate
  .
• Have good speakers
  When considering guest speakers for your event, be certain they have a solid understanding of your company — and not just from the CEO’s lofty perspective. Choose someone interesting who will hold people’s attention in a way that's clearly relevant to the meeting's purpose.
  
  
• Have limited and focused activities
  While they can sometimes be fun, don’t overdo the trust-building, ice-breaking activities. Make sure they are well thought out and actually enjoyable. If an employee is an effective salesperson, it doesn’t really matter if he or she can’t climb a rope. Never forget that most people would rather be home with their families or out with friends than playing games with their boss.
  
  
• After the meeting follow-up
  Once the day of the off-site meeting has come and gone, don’t file it away and forget it. Check back in as a group to gauge the benefits of the experience. What has actually changed as a result of the meeting? Have any of the great ideas people came up with that day been implemented? Use the feedback to improve upon next year’s meeting.

Outsourcing Policy

This policy is eighteen page in length and defines everything that is needed for a function to be outsourced.  The policy comes as a Microsoft Word document (Word 2007) that can be modified as needed.  The template has been updated to include a HIPAA audit program definition:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities 

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing.

Service Level Agreement Policy Template with Sample Metrics

Service Level Agreement Policy Template  is a nine page policy for a single application,  It defines specific SLAs and metrics that are both internally and externally focused. The sample contain over 70 possible metrics presented graphically in PDF format.

The table of contents for the policy template is as follows.

Service Level Agreement For The Application

• Overview
• Three-Tier Environment
• Service Level Agreement (SLA)
  • Internal IT SLAs
    • Hardware/Network Maintenance
    • Backup and Recover
    • Application Administration
    • Application Updates
  • External SLA
    • IT Obligations
    • End User Obligations
• Sample Metrics

The sample metrics are provided in PDF format.  Click on the small image below to see one page of the PDF file with the book marked outline of the document showing the classification of the 70 metrics depicted graphically

Telecommuting Policy

Telecommuting is a popular alternative to making the drive in to work every day. If your users are asking about telecommuting to work, you may find that a telecommuting policy helps makes things clear to them.

With the rise of the Internet, and the increase in affordable bandwidth came a new type of worker, the telecommuter. Available technologies, in certain cases, have allowed some companies to offer the ability for certain employees to work from home instead of the office. This can be not only a benefit for the employee, but also for the company itself. As more and more employees clamor for the ability to telecommute, it is imperative for companies to have an in place a viable telecommuting policy.

Telecommuting Policy Template - This policy is 13 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant telecommuting process. Included are forms defining the working environment in addition to a check list to validate that the off site location complies with you safety requirements.

Social Networking Policy

Social networking is going corporate. The popular technology used by millions of people to share ideas and photos on MySpace, Facebook, LinkedIn and others is catching on at companies to improve productivity and communication among workers. Private, internal social networks make sense as companies grapple with a slumping economy that has made travel cost-prohibitive even as workforces are spread out as never before.

With increased adoption of social networks among the public, organizations have begun setting up profiles within social networks as a means to further connect with their audiences. Organizations who have been most successful in these endeavors take time to survey the community, understand the values and rules of engagement. In short, they pay attention to the culture and identify what is accepted before they join. When they join, the organizations who have had success within social networks remember that this isn’t a place for traditional public relations tactics but a place for engagement. These organizations don’t always just talk about themselves, but they have real and human-toned conversations with real people.

The issue faced by enterprises of all sizes is ensuring that the right message is being communicated in a consistent manner.  The first step in achieving this objective is to have a uniform social network policy.

Incident Communication Plan Policy Template

Now Includes Social Networking as a Media Outlet

To survive an incident such as a business interruption, security breach, or a product recall, organizations need more than a successful communication strategy – they need an incident communication plan.

The overall objectives of a incident communications plan should be established at the outset. The objectives should be agreed upon, well understood, and publicized. For example, will the primary objective of the communications plan be for communications only to employees, and only during a disaster? Or is the intent to advise customers of interruptions to service? Or is it for investors and stockholders? Or regulatory agencies? Or is it some combination of these?

Whatever the objectives of the enterprise, they should be shared, supported by executive management, and widely communicated.

The specific objective of this incident communication plan is to define who will provide key communications during a crisis and the content, recipients, schedule, method of delivery, frequency and priority of the communication. By outlining communications in advance, ENTERPRISE

• Protect the effect of a crisis on employees, associates, suppliers and customers,
• Reduce the impact of bad publicity, maintain customer service, bolster relations with vendors and
• Addresses the concerns of other key stakeholders
  

Mobile Device Access and Use Policy

The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a mobile device connected via a wireless or unmanaged network outside of ENTERPRISE’s direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications:

• Smartphones
• PDAs
• USB applications and data
• Laptop/notebook/tablet computers
• Ultra-mobile PCs (UMPC)
• Mobile/cellular phones
• Home or personal computers used to access enterprise resources
• Any mobile device capable of storing corporate data and connecting to an unmanaged network

The policy applies to any hardware and related software that could be used to access enterprise resources, even if the equipment is not approved, owned, or supplied by ENTERPRISE.

Mobile Device Access and Use Policy Template - This policy is 10 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant mobile device and use process. Included are forms defining the mobile device environment.