In the previous column, my friend and colleague Prof. Don Holden, MBA, CISSP-ISSMP, and I reviewed some of the issues arising from pre-trial discovery orders involving stored e-mail and e-mail archives.

As we looked through several articles on the subject and thought about the issues, we put together the following list of practical pointers for readers:

* Define, enforce and update formal retention policies that stipulate how long to keep archives of which types of data. Ensure that your legal counsel is deeply involved in setting these policies.

* Access to archived records should be completed within, at most, 48 hours to avoid possible fines.

* Deleting e-mail and other records that show evidence of wrongdoing may lead to worse legal and public-relations consequences than coming clean.

* Unscheduled deletion of e-mail may destroy exculpatory evidence or lead to a tacit presumption of guilt.

* E-mail archives on servers must be safeguarded against any modification that could distort the record and lead to prosecution for tampering with evidence. Chained checksums or digital signatures involving timestamps can reveal such tampering.

* Metadata are the data about your data, such as log files showing who accessed or modified files or records. Metadata are increasingly being seized in discovery as well and must be maintained properly.

* Tools that scrub metadata for security purposes can also be used to hide legitimate audit trails and need to be controlled or monitored. Examples include destruction of the track-changes records in word-processing and spreadsheet files known to be significant in a legal discovery process or deliberate copy/paste operations from a source that included an audit trail into plain-text format. No employee should be destroying data in this way when a subpoena or other discovery process is in force; data security policies should make such restrictions explicit.

* Ensure that you know exactly what is on each backup medium and where it is stored. Use appropriate software to catalog your backup media. Stored media must be kept in secured facilities with chain-of-custody records that ensure that the organization can report exactly who accessed which media at any time.

* Disaster-recovery media may be required under subpoena just as regular backup media are; be sure to include them in your catalogs and access lists.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.