To Retain Or Not To Retain? That Is The question.
Memorial Day has passed and summer is here. I don’t know about you but each summer I go through my closet in an attempt to de-clutter. As I stand in my closet looking at clothing that doesn’t fit anymore to donate, or ripped/stained/damaged clothing to discard, all I can think about is Data Retention. I know, right!
Wouldn’t it be great if you could simply look at your data like you look at your clothing and know whether it should be kept, moved to archive (packed), or discarded? Well you can! All you need is a data retention policy.
A data retention policy is an organization’s established protocol for keeping records for a set period of time. The goal of a data retention policy is to secure your data and ensure compliance with business needs, industry guidelines, or legal requirements.
- Business Needs – Organizations may have specific contractual requirements regarding certain data that needs to be maintained for a certain period of time. This can be due to existing contracts, tax/financial purposes, or other requirements
- Industry Guidelines – Depending on your industry: Financial, Legal, Healthcare, State & Local, Government, Education, etc., there are most likely guidelines around data retention. Some around how long you must keep data and some around when you must dispose. This will, in most cases, have to do with the content, but we’ll cover content in a later post.
- Legal & Regulatory Compliance – In recent years, the focus on data privacy has increased, which has resulted in more complex laws and regulations worldwide. Whether you’re looking at: Sarbanes–Oxley Act, Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, General Data Protection Regulation, or others, you will need to know what data you have, who has access to it, and what information is contained within.
This may sound challenging but don’t worry, help is here! Here’s a link to a Data Management Policy Template provided free of charge from the fine folks at Center for Internet Security:
https://www.cisecurity.org/insights/white-papers/data-management-policy-template-for-cis-control-3
Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 3 – Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Implementation Group 1
CIS Safeguard 3.4 - Enforce Data Retention
Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.