Record Retention Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This may include file and resource access, logon patterns, e-mail, and the use of privileges. Note that in some legal jurisdictions, users must be made aware that their activities are being tracked. Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability infor- mation. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like. If data about individuals is being retained by your organization such as a conditional employment agreement or a use agreement, the employees and customers need to be made aware of it. In many cases, the notification requirement is a legal issue; in others, it is simply a courtesy. In either case, it is a good idea to discuss the issue with appropriate legal counsel. Sensitive Information and Media Managing information and media properly—especially in a high-security environment in which sensitive, confidential, and proprietary data is processed—is crucial to the security and stability of an organization. Because the value of the stored data is momentous in comparison with the cost of the storage media, always purchase media of the highest quality. In addition to media selection, there are several key areas of information and media management: marking, han- dling, storage, life span, reuse, and destruction. Marking, handling, storage, and observance of life span ensure the viability of data on a storage media. Reuse and destruction focus on destroy- ing the hosted data, not retaining it. Marking and Labeling Media The marking of media is the simple and obvious activity of clearly and accurately defining its contents. The most important aspect of marking is to indicate the security classification of the data stored on the media so that the media itself can be handled properly. Tapes with unclas- sified data do not need as much security in their storage and transport as do tapes with classified data. Data labels should be created automatically and stored as part of the backup set on the media. Additionally, a physical label should be applied to the media and maintained for the life- time of the media. Media used to store classified information should never be reused to store less-sensitive data. Media labels help to ensure proper handling of hosted sensitive, classified, or confidential data. All removable media, including tapes, USB drives, floppies, CDs, hard drives, and printouts, should be labeled. Handling Media Handling refers to the secured transportation of media from the point of purchase through stor- age and finally to destruction. Media must be handled in a manner consistent with the classifi- cation of the data it hosts. The environment within which media is stored can significantly affect its useful lifetime. For example, very warm environments or very dusty environments can cause