Slashdot Mirror
The Importance of Deleting Old Stuff
An anonymous reader writes: Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, "One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. ... Everything is now digital, and storage is cheap — why not save it all?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."
Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."
Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?
Not the op but keep away from corporate security. While it seems like most of us are assholes, its because you get used to looking past the smiles of the assassin's coming for you that week.
I find I need to go pull something out of a mail archive 3-4 times a year, when someone tries to blame me for something being insecure, and in my notes I have details of how I tested it, found it bad, highlighted same and some manager overrode my concerns because there was a business need to do so taking a decision they were not qualified to take. When the shit starts to fly, you need to produce these or a baying mob of all the people you've ever disrupted their cosy plan for timescales with the utterance "don't do that, its a *really* bad idea" will form and lynch you irrespective if you were right or wrong. It usually comes out in the wash when you produce the mail documenting this, the hysteria is being whipped up by someone connected to that very decision trying to bury the traces of the source of the braindead decision.
I've also noticed the more clued up people send suspect things in encrypted mail, because they know damn well our corporate IT will balls up the certs on our corporate machine every year and we'll have to get new ones with no access to the old.
Delete my mailbox every 3 months? not a chance. I have stuff going back 6 years for some of the rasher decisions.