adam's notes

Data Retention Policies

Data retention policies state how data is controlled throughout its life cycle.

  • define the types of data that an organization has
  • address where data is stored and how it is protected
  • specify how long different types of data must be retained
  • aka document retention policies

Elements

  • Types of organizational data
  • Where that data is stored
  • How that data is protected
  • Legal, business, historical, or other reason for keeping that data
  • How long the data should be retained

Elements for CCSP

  • Retention periods
    • the length of time the organization should keep data
    • usually refers to data archived for long-term storage
    • retention period often expressed in a number of days to years
    • can be mandated or modified by contractual agreements
  • Regulations and compliance
    • retention policy should refer to applicable regulatory guidance
    • policy should reflect how to approach and resolve conflicts between regulations
  • Data classification
    • highly sensitive or regulated data may have specific retention periods
    • can use classification level to determine retention periods
  • Retention
    • policy should specify requirements for how the data is actually archived
    • e.g., encrypted at rest
  • Data deletion
    • data must be properly disposed at the end of the retention period
    • policy should outline how to properly dispose of data
      • who should delete data
      • what the requirements for delete are
      • point to a procedure document on how to securely delete data
  • Archiving and retrieval procedures and mechanisms
    • policy should mandate the creation of detailed processes for
      • sending data into storage
      • recovering data
      • testing of both processes
    • detailed procedures should be a different document
      • will be update more frequently than policy document
  • Monitoring, maintenance, and enforcement
    • policy should list how often it will be reviewed and amended, by whom, consequences for failure to adhere to policy, and which entity is responsible for enforcement

Graph View

Backlinks