Document Retention vs. Disaster Recovery

Subject:Record Retention and Disaster Recovery & EPHI & PHI

Hello Ian and Ben,

HR would like to meet with the two of you and discuss [the] record retention program and the safeguards in place to restore data.

We would also like to discuss EPHI & PHI policies to ensure [we stay] in compliance.  It would be helpful to gain a better understanding of IT’s processes and procedures concerning data back-up and the access to sensitive personnel information.

Would you please suggest a day and time when we can meet for about half an hour?


From: Ian Fleming
Sent: Thursday, February 16, 2012 9:56 AM
To: HR

We can meet today, this afternoon, or when you have time.

Regarding safeguards of files, we use the security concept of ownership.  This concept is detailed in the Trusted Systems publication put together by the National Security Agency and the Department of Defense back in the 80’s.  It was implemented by Microsoft in 1994 with the NTFS file system.

To give a brief description, every object within a volume or share has a single owner; an owner is a user identified by the object as being the one who controls it. By default, the user who creates a file or folder becomes its owner. The significance of ownership is that the owner of a file or folder always has the ability to assign discretionary permissions for that object. The owner can decide what permissions should be applied to the object, controlling others’ access to the file or folder.  The technical term for this concept is called discretionary access control.
Problems can occur if those with administrative access take ownership of files or change permissions when they should not. When this happens, ownership can only be offered back.  Ownership can only be offered by a user or taken by force by an administrator but is never assigned.  This prevents repudiation.  It is setup this way to prevent repudiation that an administrator took ownership of a file, made changes,  and changed ownership to someone else without their knowledge.

Aside from the digital non-repudiation method, security is very similar to your file cabinet in your office.  You “own” it.  You secure it by locking your office door or file cabinet.  The point I’d like to drive home here is that there is no difference in the security concept between a paper file in your file cabinet and a digital file in your folder.  This makes a document retention policy no different for digital files vs. their paper counterparts.  The only significant difference is that if an administrator goes into your office when you aren’t there and looks at your paper files, you probably wouldn’t notice; however, if an administrator goes into your digital files, you will know because you will no longer be the owner of those files.

The procedure of assigning permissions is rather straight-forward. The most common method is for the owner to right-click an object in the Windows Explorer, select Properties, and then click the “Security” tab to access the permissions settings for the object.  The administrators should never set permissions or take ownership of files unless explicitly told to do so by management.  Either way, there is an audit trail should questions arise.

Regarding backup, RTO, and RPO: it would help if you explain the compliance requirements during our meeting before we go into explaining all of our backup processes.




From: HR
Sent: Thursday, February 16, 2012 11:37 AM
To: Ian Fleming


There are multiple lengths of retention periods required depending on the type of record and what rule applies to that record, I will bring our record retention requirements.

One of the main concerns of HR is, If we destroy paper copies what type of safeguards are in place for retrieving these records electronically?  Should a digital copy be made and kept in an external location, or… is it safe to believe these records can always be retrieved from the imaging system?

What time is best for you? And would you like to meet in your office or where?

Thank you Ian!


From: Ian Fleming
Sent: Thursday, February 16, 2012 12:09 PM
To: HR


Again, the point I wish to drive home here is that a document retention policy on an electronic system should be applied and enforced in the exact same way as with a paper document system or file cabinet.  The owner performs the action to the object; the object can be paper, or any other medium that contains company information.  Like paper, if the action is to destroy, only the owner (or those given discretionary rights by the owner) can perform this action.

To address your hypothetical, an electronic document and a copied paper document are two completely separate objects.  If you destroy a paper copy of an electronic document, this action will not automatically destroy the electronic source of the copy.

Think of paper and electronic as two systems that present the exact same information – only on different media.

For the purposes of the compliance discussion, I strongly believe that we need to separate the topics of “security and access control” from the topic of system “backup and recovery”.  These are entirely different concepts and should not be confused with one another.  Recovery are systems used during disasters – backup and recovery systems are not intended or designed to be used for archiving user data.

Backup and Recovery objectives rely heavily on the definition of two parameters:  Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  The RTO is how long the cooperative can go without access to something. This is often associated with your maximum allowable or maximum tolerable outage. If your RTO is zero (you absolutely cannot go down) then we may opt to have a completely redundant infrastructure with replicated data offsite and so on.

The RPO is slightly different. This dictates the allowable data loss; in other words, how much data can I afford to lose if there were a disaster? So, if we do a nightly backup at 7:00 PM and our office goes up in flames at 4:00 PM the following day, everything that was changed since our last backup is gone. My RPO in this particular context is the last backup at 7PM – 21 hours ago.

Now, consider a bank that handles ATM processing.  I would assume that their RPO would be down to the last, latest transaction.  These types of systems generally cost a lot to implement and maintain. They simply can’t afford to lose millions of dollars by failing to record hours of ATM transactions that handed out cash to customers.

Our datacenter RTO is xx units of time and our RPO is xx units of time.

Again, I believe we need to separate these concepts and discuss them separately because they perform entirely separate functions.

I’ll meet you at 1:30 after lunch if this is good for you.  I don’t have a lot going on this afternoon.




The meeting was very short!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s