Test to Ensure Records are Correctly Located
Target Behaviour
Compliance to written policies for record location is not being actively monitored.
Directive
Tests must be performed to confirm that users and Data Stewards are correctly locating files containing PII or PCI data according to standards.
Policy Requirements
Tests must be performed on a weekly basis to ascertain if files suspected to contain PII or PCI data is being stored in SharePoint sites or OneDrive for Business file stores. |
Presence of ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers will signify a failed test. |
Results of each test are sent to Records Managers. |
Tests will be performed on a monthly schedule and available to Record Managers and Data Security personnel to run on an adhoc basis. |
Workflow for Responding to Legal Hold Requests
Target Behaviour
Requests to place data related to specific people, projects, products or cases on Legal Hold are being poorly fulfilled. A lack of sufficient insight into data content is leading to unnecessarily large volumes of data being quarantined and to relevant data being excluded.
Directive
A scientific method of identifying files that should be subject to legal hold is required. The organization is exposed to unnecessary (and significant) infrastructure and services costs when excessive data is placed on legal hold. Similarly, the organization is failing to fulfil its legal obligations when relevant files are missed. The ability to query file content and identify the presence of relevant strings is necessary.
Policy Requirements
Legal announces that all data connected to a person, company, case, etc. should be placed on legal hold. |
IT identifies the Data Stewards (Business Unit Managers, Department heads, Records Managers, etc.) that should be involved, and creates the quarantine location with relevant permissions, retention policy, etc. |
Data Stewards provide lists of the data repositories that should be scanned (text-mining) for files connected to the person, company, case, etc. Scans are configured and executed. |
Data Stewards receive notification when data is collected and review file lists – moving relevant files to quarantine. |