Drafting up an email retention policy for our MS Exchange 2003 system. Curious as to what other people have as a policy -- how many days to keep online, delete, etc. Thanks!
SnapOverflow
Drafting up an email retention policy for our MS Exchange 2003 system. Curious as to what other people have as a policy -- how many days to keep online, delete, etc. Thanks!
Legal issues aside, I am in favor of keeping emails as long as I possible can. My own email database go back about a dozen years, and it is quite useful at times to have access to that information. Disk space is cheap, and getting cheaper, and machines are getting faster and cheaper as well.
It should be part of your overall document retention policy, not just a policy for your Exchange server. Our document retention policy (drafted by Legal) states that emails older than 90 days must be deleted. If the information in the email is required past 90 days of receipt then it is to be saved to disk (NOT a .pst file) as a file (rtf, doc, pdf, whatever) at which point it is under the governance of our document retention policy. Automated archiving mechanisms are not permitted.
EDIT: in response to Evan's comment:
Yeah, good question. It is draconian to be sure. However, much time (ugh) is spent here forcing this policy down the organization and policing (ie- auditing), so it is working. The first attempt at it met with such a rebellion as you describe, then it was reworked again and recently redeployed. I do agree that email should be included in the overall retention policy and not left to an autonomous policy. There is still much wailing and gnashing of teeth about not being able to utilize Outlook features to manage email here. More so the fact that dept heads must annually audit to the retention policy and sign-off their dept's compliance, accountable to internal controls.
There are arguable benefits to your storage solution using such a policy, even when mailbox quotas are implemented. There are still a lot of questions related to the "useless" that are being met with statments like "do it".
I agree with squillman in terms of addressing legality obstacles. I would talk to the legal department first and foremost to avoid any headaches later on, and for possible compliance issues (HIPAA/SOX/PCI). Seems to me that industry usually dictates compliance in tandem with legal more than anything else.
From then on I would focus on common metrics within IT such as the total number of users, avg. growth rate per hour/day/week/month, etc. etc. to determine how many days to keep online storage (if legal hasn't mandated anything). From my experience, always leave a little slack too in terms of storage for YOU, not the users. Often users will take as much email storage as they're given (especially Outlook/Exchange shops), so if money is tight and storage is at a premium, lower the retention policy a little to alleviate future financial/technical headaches.