Information risk planning involves a number of progressive steps: identifying potential risks to information, weighing those risks, creating strategic plans to mitigate the risks, and developing those plans into specific policies. Then it moves to developing metrics to measure compliance levels and identifying those who are accountable for executing the new risk mitigating processes. These processes must be audited and tested periodically not only to ensure compliance, but also to fine tune and improve the processes.

Depending on the jurisdiction, information is required by specific laws and regulations to be retained for specified periods, and to be produced in specified situations. To determine which laws and regulations apply to your organization's information, research into the legal and regulatory requirements for information in the jurisdictions in which your organization operates must be conducted.

Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements

There are federal, provincial, state, and even municipal laws and regulations that may apply to the retention of information (data, documents, and records). Organizations operating in multiple jurisdictions must maintain compliance with laws and regulations that may cross national, state, or provincial boundaries. Legally required privacy requirements and retention periods must be researched for each jurisdiction (e.g. county, state, country) in ...