Integrated Risk Management (IRM) was born out of necessity not an epiphany. It is the product of high-level discussions typically beginning with an astonished or embarrassed senior executive asking how "it" happened. A discussion of those "its" will explain the genesis of IRM and assist the reader in developing a cogent argument for bringing IRM into his or her organization. The circumstances that follow are based upon my personal experiences and perhaps those of some readers.

Tales from IT
On a pleasant morning while sipping your first cup of coffee, you receive a telephone call from your IT colleague requesting your assistance in disposing of some old "IT junk." Part of your security function is to assist in the destruction of company property and to prepare the appropriate report to memorialize that event. I am assuming that you are employed by a company that has a property destruction policy. No? Then you better write one.

The IT executive, at your prompting, identifies the junk as old data tapes in several different media formats, some of which are so old that the equipment to retrieve the data no longer exists. Would you authorize the destruction of the IT junk? If you have been trained as an Integrated Risk Manager, your response would be a firm "no."

"But," the executive stutters, floored by your response, "we throw out and destroy old junk all the time! We got rid of that dead monitor and that broken keyboard last month."

"Yes," you reply. "But there is a difference between broken monitors and keyboards and old data."

Property Destruction Risk
Every company is subject to a variety of litigation. Much of that litigation begins with a subpoena of duces tecum, an order by the court to produce all available information about the subject or issue under legal contention. If the court order includes IT data, and these days it almost always does, someone from IT must provide a memorandum describing data storage procedures, mostly likely exposing the existence of the "IT junk." If the junk is not disclosed at the time of the subpoena and is discovered later, the corporation is toast.

Destroyed information has a legal life of its own. Attorneys will be allowed to argue the nature of the destroyed information and speculate why it was destroyed. If it was destroyed without a report recording the date of the destruction, more liability may be incurred as lawyers may imply that it was destroyed after the litigation was announced, suggesting guilty knowledge or damage control. In the legislative environment in which businesses live today, this allegation is very damaging to corporate reputations and should be avoided. In such a scenario, company counsel may recommend a settlement rather than expend the dollars necessary to explain the existence of the "IT junk." But as Integrated Risk Manager, you know how to avoid this mess.

Risk Avoidance Strategy
The risk created by the destruction of the "IT junk" is replicated in most departments in the corporation. There are laws, varying from state to state, detailing how long certain records are to be retained, and corporations are obliged to obey them. However, you do not simply toss records into the shredder at the end of their legally mandated storage period. Nor do you keep them indefinitely at a document storage facility and assume unnecessary and ever-growing monthly charges.

So what will help your attorneys sleep better at night? A Records Retention and Destruction policy.

The policy must be in compliance with local laws and must detail what types of information must be saved and for how many years. Some records need only be stored for months.

Absent pending litigation or certain statutory requirements that compel record retention, write a policy that allows destruction of outdated documents. The policy must identify the "owners" of each record, and it must allow those owners to justify or explain why any records are to be retained. (Remember, this is also a cost issue as well as a risk issue.) Destroy outdated records twice a year, and include these anniversary dates in your policy.

The policy must also require a record of document destruction that includes a description of what was destroyed and the identification of the personnel that monitored the destruction. The policy must include zero tolerance for those employees who develop an emotional attachment to "their stuff." Remember that the subpoena details all records, and many pack rats turn to mush in a deposition, producing records believed destroyed. Defense attorneys make a living finding such records and will virtually always ask for desk notes and personal files.

After the policy is written and signed by the CEO, a company-wide announcement is appropriate. Every employee issued a copy of the policy must also sign an accompanying form that documents receipt and understanding of the policy.

There are several texts that will assist the reader in writing this policy. I obtained mine from an Internet vendor and purchased an on-line subscription for annual updates. The cost savings in document storage will pay for the subscription one hundred-fold.

Conclusion
With the pertinent policies published, the discussion with the IT manager would have never occurred as the media would already have been destroyed. I encourage any reader to post similar experiences on our web site, as well as comments for or against the contents of this article. This article and others prepared by Risk Analysis Group are written to encourage the exchange of information and ideas.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Make the next step in your journey toward becoming a CSO. Register today to attend one of the upcoming RAG conferences in Boston (November 3-4), Phoenix (December 15-16), Dallas (February 26-27, 2004), Atlanta (March 23-24), and Chicago (April 22-23). Spend two days with industry experts learning such critical skills as business continuity planning, how to handle workplace violence, and what Sarbanes-Oxley means for your company. Click here or call us at (818) 501-3297 for more information.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
December 15-16, 2004
Wyndham Phoenix Airport
602-220-4400 ext. 4412

Dallas
February 24-25, 2004
Monitronics International, Inc.

Atlanta
March 23-24, 2004
Barton National Academy
800-866-1122

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (818) 501-3297.

2 Day Executive Protection Agent Training Course
presented by Joseph A. LaSorsa, CPP (Former Secret Service)

This seminar will provide basic knowledge of the "Art of Executive Protection" ala the style of the "U.S. Secret Service".

Fort Lauderdale
Nov. 3-4, 2003
Holiday Inn
954-563-5961

For additional information or to register,
click here.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

zdnet.com
Oct. 17, 2003
"Fresh ideas may bolster security"

CSO Online
October 2003
"The State of Information Security 2003"

CSO Online
October 2003
"Sarbanes, Oxley and you"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"I have been a member of ASIS since 1990 and have attended numerous security seminars in which they typically tell you about what has happened in the past... Risk Analysis Group taught me about what is happening now, and what I need to be aware of for the future. RAG also understands that one person can't know it all - and they have brought in several different speakers who are experts on different areas of security.

"Now that I know how valuable Risk Analysis Group's course is, I am going to recommend my company's executive and HR team attend as well."

-Jonathan McBride, CPP, Security and Safety Director, Innotrac (Reno, NV)