The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.4 covers the enforcement of data retention according to the data management process. Your Data Retention Policy must include both the minimum and maximum timelines.

The primary two reasons you need a data retention policy is for #Liability protection and Regulatory compliance.

Managing and protecting an organization's important data to avoid any civil, criminal, and financial penalties that sometimes result from poor data management.

Local, state, federal, and international policies, rules, statutes, and laws, as well as industry-imposed regulations oftentimes will set the requirement of length of time that specific types of data must be retained and maintained.

It is important to understand what compliances and regulations you fall under and ensure you are retaining the necessary data for the timelines needed.

Looking at some of the industry standards:
Federal Information Security Modernization Act (FISMA) - 3 Years
ISO 27001 - 3 Years
National Energy Commission (NERC) - 3 to 6 Years
Basel II Capital Accord - 3 to 7 Years
Sarbanes-Oxley Act (SOX) - 7 Years
Health Insurance Portability and Accountability Act (HIPAA) - 6 Years
National Industrial Security Program Operating Manual (NISPOM) - 6 to 12 months.

No matter how long you choose to retain the data, you need to have the policy documented and validate and test your backups on a regular basis - otherwise you can't ensure you have backups and are retaining the data.

Your Data Retention Policy should include local, application, databases, and cloud data as well as storing of the retained data both locally and in the cloud. The last thing you want is a fire to destroy your local data and the backup files.

Join the Conversation -

Contact Info
