Determining how long to retain records and create a data retention policy

Status: Live

The organization will maintain a data retention policy, disposition authority, or retention schedule. [UCF ID 00906]

Supporting and supported controls

This control directly supports:

Determining documents for capture [UCF Control ID 00905]

There are no supporting controls.

Authority documents complied with:

The Sarbanes-Oxley Act of 2002, § 103(a)(2)(A)(i), § 1520(a)(2); Retention of Audit and Review Records, SEC 17 CFR 210.2-06, § 210.2-06(a)(1), § 210.2-06(a)(2); Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3, § 240.16a-3(i); Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 8, Obj 3 (Reporting, Record Keeping, and Record Retention); FFIEC IT Examination Handbook – Audit, August 2003, Pg 12; FFIEC IT Examination Handbook – Development and Acquisition, Pg 32; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier II Obj I.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 6.3, Exam Tier II Obj 12.3; Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1, § 240.17a-6(b); Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 3.1.b; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 3-7; Protection of Assets Manual, ASIS International, Revised Volume 2 Pg 1-I-40; Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § 8(a)(5)(c); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; US Export Administration Regulations Database, § 762.6(a); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 3.1, § 6.3.5; IRS Revenue Procedure: Record retention: automatic data processing, 98-25, § 5.01(1); ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 9.2; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 4.2.4.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-11; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-11; CobiT 4.1, DS11.2; Telemarketing Sales Rule (TSR), 16 CFR 310, § 310.5(a); Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5, Sched 1 Principle 4.5.2; Canada Privacy Act, P-21, § 4.5.2; Mexico Federal Personal Data Protection Law, November 2005, Art 21; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 40; Australia Privacy Act 1988, Part IIIA § 118F(1), Part IIIA § 118F(2); Korea Act Relating to Use and Protection of Credit Information, Art 20(2); Alaska Personal Information Protection Act, Chapter 48, § 45.48.010(c); Florida Statute 817.5681 Breach of security concerning confidential personal information in third-party possession, § 817.5681(10); Iowa Code Annotated § 715C Personal Information Security Breach Protection, § 715C.2.6; Maryland Code of Commercial Law Subtitle 35. Maryland Personal Information Protection Act §14-3501 thru §14-3508, § 14-3504(b)(4); New Jersey Permanent Statutes Title 56 Security of Personal Information, § 56:8-163.a; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 2.1; SEC 12 CFR 229 Availability of Funds and Collection (Check Clearing for the 21st Century), § 229.21(g); OMB Circular A-123 Management’s Responsibility for Internal Control, § I.A, App A § IV.A; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 22, Pg 30; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 3.1(b); Archer Control Table, ATCS-204, ATCS-211, ATCS-212, ATCS-224, ATCS-226, ATCS-231, ATCS-266, ATCS-267, ATCS-280, ATCS-281, ATCS-282, ATCS-283, ATCS-312, ATCS-379, ATCS-381, ATCS-424, ATCS-428, ATCS-447, ATCS-483, ATCS-596, ATCS-747, ATCS-767, ATCS-768, ATCS-769, ATCS-770; Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation, Art 28.4; Austria Data Protection Act, § 14(5); NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks, § 73.54(h); Missouri Revised Statutes Chapter 407 Merchandising Practices § 407.1500, § 407.1500.2(5)

Sarbanes Oxley Guidance

The organization must prepare and maintain audit work papers and other information used to support the conclusions of the audit report for not less than 7 years. [§ 103(a)(2)(A)(i), § 1520(a)(2), The Sarbanes-Oxley Act of 2002]

The organization should create a policy for retaining records associated with an audit or review for 7 years. Any documents that are created, sent, or received and contain opinions, financial data, or conclusions about the audit or review should be included in the policy. [§ 210.2-06(a)(1), § 210.2-06(a)(2), Retention of Audit and Review Records, SEC 17 CFR 210.2-06]

Documents submitted to the Commission that require a signature should be retained by the filer for 5 years. [§ 240.16a-3(i), Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3]

The organization should establish document retention policies or review for adequacy existing document retention policies for all types of documents (paper and electronic). [§ I.A, App A § IV.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should develop a policy for the retention of documentation. [Pg 22, Pg 30, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

All records required to be kept by the Bank Secrecy Act (BSA) must be retained for 5 years. [Pg 8, Obj 3 (Reporting, Record Keeping, and Record Retention), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The audit policies should establish a timeframe for the retention of audit work papers. [Pg 12, FFIEC IT Examination Handbook – Audit, August 2003]

Archived data should be retained in accordance with the retention requirements. System documentation should be archived in case a system needs to be reinstalled into the production environment. [Pg 32, FFIEC IT Examination Handbook – Development and Acquisition]

[Exam Tier II Obj I.5, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 6.3, Exam Tier II Obj 12.3, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization must retain compliance evidence for not less than 2 years in a form that is capable of accurately retaining and reproducing information. If the organization is being investigated, it must retain the records pertaining to the action until final disposition, unless disposal is allowed by court order. [§ 229.21(g), SEC 12 CFR 229 Availability of Funds and Collection (Check Clearing for the 21st Century)]

NASD NYSE Guidance

Every national securities exchange, national securities association, registered clearing agency and the Municipal Securities Rulemaking Board shall keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a–6. [§ 240.17a-6(b), Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1]

Energy Guidance

Licensees must retain all records and the supporting technical documentation required to satisfy this section's requirements until the license for which the records were developed has been terminated by the Nuclear Regulatory Commission. Superseded portions of records must be retained for at least 3 years after being superseded, unless the Commission has specified otherwise. [§ 73.54(h), NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks]

Payment Card Guidance

The organization must develop a data retention and disposal policy and retain data for as long as the information is necessary.
Verify the organization has a data retention and disposal policy that includes specific retention requirements for cardholder data; legal, regulatory, and business retention and disposal requirements; and procedures to remove on a quarterly basis cardholder data that exceeds business retention and disposal requirements. [§ 3.1.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The software vendor should provide guidance to their customers on how to purge cardholder data after the data retention period defined by the customer and where the data to be purged is located. [§ 2.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

The organization must develop a data retention and disposal policy and retain data for as long as the information is necessary. [§ 3.1(b), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

The accreditation or reaccreditation document should be maintained by the accreditation authority. [§ 3-7, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The results from investigations should be retained for statistical purposes and trend analysis in accordance with the organization's retention policy. [Revised Volume 2 Pg 1-I-40, Protection of Assets Manual, ASIS International]

With the approval of the Archivist of the United States, retention schedules should be put in order for federal records. [§ 8(a)(5)(c), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

All required records must be kept for a period of 5 years. [§ 762.6(a), US Export Administration Regulations Database]

US Federal Privacy Guidance

Telemarketers and sellers are required to keep, from the date a record is produced to the passing of 24 months, the following info: advertising and promo materials, contact information for prize recipients if they win something worth $25 or more, contact information for each customer as well as what they bought and the contact information for all former employees that dealt with selling and telemarketing work. [§ 310.5(a), Telemarketing Sales Rule (TSR), 16 CFR 310]

US Internal Revenue Guidance

Records of the requests by or to the organization for Federal Tax Information must be maintained for 5 years. The organization should retain inspection reports for a minimum of 3 years. [§ 3.1, § 6.3.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

[§ 5.01(1), IRS Revenue Procedure: Record retention: automatic data processing, 98-25]

Records Management Guidance

An organization must assess the regulatory environment, business and accountability requirements and the risk in order to determine how long records should be stored. [§ 9.2, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

To determine how long to maintain record, a five stage analysis should be undertaken. Step one involves determining the legal or administrative requirements for maintaining records in the system. Step two is determining the uses of records within the system. For step three, links to other systems should be examined and documented. Step four is where the organization considers the uses for the record. Finally step five is allocating retention periods for records based on the total system evaluation conducted over the course of steps one through four. [§ 4.2.4.3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]

NIST Guidance

The organization needs to retain their audit logs for an organizationally prescribed period of time in order to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. [AU-11, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure audit logs are retained for a predefined period of time to meet regulatory and organizational requirements and that specific responsibilities and actions are defined for the implementation of the audit retention control. Any problems discovered during the implementation of the audit retention control should be documented and used to improve the control.
Interviews should be conducted with personnel involved in the auditing process. [AU-11, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

US State Laws and Protectorates Guidance

When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. Required notification cannot be considered public record. [§ 45.48.010(c), Alaska Personal Information Protection Act, Chapter 48]

When a breach investigation or consultation with federal, state, and local agencies responsible for law enforcement concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. [§ 817.5681(10), Florida Statute 817.5681 Breach of security concerning confidential personal information in third-party possession]

When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. [§ 715C.2.6, Iowa Code Annotated § 715C Personal Information Security Breach Protection]

If the organization determines that notification is not required based on the security breach investigation, the organization must maintain documents on its determination for 3 years. [§ 14-3504(b)(4), Maryland Code of Commercial Law Subtitle 35. Maryland Personal Information Protection Act §14-3501 thru §14-3508]

When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. [§ 56:8-163.a, New Jersey Permanent Statutes Title 56 Security of Personal Information]

If a breach investigation concludes that a risk of identity theft or other fraud to a consumer is not reasonably likely to occur and therefore notification is not required, the organization must document the determination in writing and maintain the documentation for 5 years. [§ 407.1500.2(5), Missouri Revised Statutes Chapter 407 Merchandising Practices § 407.1500]

General Guidance

The organization should define and implement procedures for data storage and archival, so data remain accessible and usable. The procedures should consider retrieval requirements, cost-effectiveness, continued integrity and security requirements. Establish storage and retention arrangements to satisfy legal, regulatory and business requirements for documents, data, archives, programs, reports and messages (incoming and outgoing) as well as the data (keys, certificates) used for their encryption and authentication. [DS11.2, CobiT 4.1]

UK and Canadian Guidance

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods. [Sched 1 Principle 4.5.2, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5]

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods. [§ 4.5.2, Canada Privacy Act, P-21]

Latin American Guidance

The automatic gathering and processing of personal data made for public safety purposes shall be limited to the needs of preventing imminent danger to public security, police functions or to fight crime, shall be stored in specific files set up for such purposes and shall be classified into categories according to their reliability. In addition, all personal data in connection with public safety or police functions shall be eliminated after they have served the purpose for which they were gathered and processed or are no longer useful for the same purpose. [Art 21, Mexico Federal Personal Data Protection Law, November 2005]

Other European and African Guidance

If processing of any items listed Section 28(1)(b) to 28(1)(f) departs from what the Data Protection Commission or data protection officer was notified of, it must be recorded and kept for at least 3 years. [Art 28.4, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation]

Logs and documentation data must be kept for 3 years, unless expressly stated otherwise by law. Deviations of this law are permitted to the extent that it may be legitimately erased earlier or stored longer. [§ 14(5), Austria Data Protection Act]

Asia and Pacific Rim Guidance

The auditor is required to retain all working papers associated with the audit for 7 years. Working papers in electronic form are considered to be retained only if they can be converted to a paper format. [Sched 1 ¶ 40, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

A credit reporting agency must delete from an individual’s credit information file maintained by the credit reporting agency any personal information of a kind referred to in paragraph 18E(1)(b) or (ba) within 1 month after the end of the maximum permissible period for the keeping of personal information of that kind. In addition, different retention lengths for different types of information are provided. This section makes many references to other portions of the document, so it is best to view it directly. [Part IIIA § 118F(1), Part IIIA § 118F(2), Australia Privacy Act 1988]

Any operator of a credit information business must preserve the following types of records for three years: addresses and names of clients or of institutions providing or exchanging information, details of activities requested and date of request, processing details of activities requested or details of credit information provided and corresponding dates and other matters as prescribed by presidential decree. [Art 20(2), Korea Act Relating to Use and Protection of Credit Information]