Record Management, Retention, and Destruction Policy

CIOs and IT Managers need to be assured that their information and record management program is compliant with government regulations and reflects best practices. This policy addresses all of those concerns. It was just updated and inclues best practices.

A record is essentially any material that contains information about your company’s plans, results, policies or performance. In other words, anything about your company that can be represented with words or numbers can be considered a business record – and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data.

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process. Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

Record Retention Requirements

You areas included with this policy template are:

Requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
Policy
Standard
Scope
Best Practices
Responsibilities
Procedures - Forms
Compliance and Enforcement
Email Retention and Compliance
Job Description Manager Record Administrator
12 forms for Record Retention and Disposition Schedule

You can download the Table of Contests and selected pages for this policy template.

Other Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.

Outsourcing Policy

This policy is eighteen page in length and defines everything that is needed for a function to be outsourced. The policy comes as a Microsoft Word document (Word 2003 & Word 2007) that can be modified as needed. The template has been updated to include a HIPAA audit program definition:

Outsourcing Management Standard
- Service Level Agreement
- Responsibility
Outsourcing Policy
- Policy Statement
- Goal
Approval Standard
- Base Case
- Responsibilities

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

Internet, E Mail, Mobile Device, Electronic Communication, and Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

Appropriate Use of Equipment
Mobile Devices
Internet Access
Electronic Mail
Retention of Email on Personal
E-mail and Business Records
Copyrighted Materials
Banned Activities
Ownership of Information
Security
Sarbanes-Oxley
Abuse

Included are these ready to

Internet & Electronic Communication Employee Acknowledgement
E-Mail - Employee Acknowledgement
Internet Use Approval Form
Internet Access Request Form
Security Access Application Form

Travel and Off-Site Meeting Policy

Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other employees, contractors, suppliers and customers data and software can be compromised. This policy is four page in length and covers:

Data and application security

Minimize attention

Shared public resources

Off-site meeting special considerations

Backup and Backup Retention Policy

Backup Policy & Backup Retention The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately.

The document is provided in both Word 2003 and Word 2007 formats and is easily modified. This policy is included in the Disaster Recovery / Business Continuity Template

Below is a table from the policy.

Type of Data	Minimal Backup Policy	Backup Retention Policy
System software	Latest Version plus patches At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
Application software	Latest Version plus patches At Least Weekly	Annual (verified) Backup Monthly Generations Weekly Generations
System data	Daily	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Application Data	Daily with real time transaction files	Annual (verified) Backup Monthly Generations Weekly Generations Daily Generations
Software licenses, encryption keys, & Protocol Data	Weekly	Annual (verified) Backup Monthly Generations Weekly Generations

Sensitive Information Policy

This policy covers the treatment of Credit Card, Social Security, Employee, and Customer Data. The policy is 15 pages in length. This policy complies with Sarbanes Oxley Section 404.

The policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).