Back

Establish, implement, and maintain a data retention program.


CONTROL ID
00906
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define each system's preservation requirements for records and logs., CC ID: 00904

This Control has the following implementation support Control(s):
  • Store records and data in accordance with organizational standards., CC ID: 16439
  • Remove dormant data from systems, as necessary., CC ID: 13726
  • Select the appropriate format for archived data and records., CC ID: 06320
  • Archive appropriate records, logs, and database tables., CC ID: 06321
  • Maintain continued integrity for all stored data and stored records., CC ID: 00969
  • Archive document metadata in a fashion that allows for future reading of the metadata., CC ID: 10060
  • Store personal data that is retained for long periods after use on a separate server or media., CC ID: 12314


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard § II.3(7): The procedures, results, identified deficiencies, and remedial actions of the information on the assessment of internal control over financial reporting should be recorded and retained. Practice Standard § II.3(7)[1]: The following information should be recorded and retained b… (Standard § II.3(7), Practice Standard § II.3(7)[1], Practice Standard § II.3(7)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O26.3: The organization should keep documents pertaining to revisions for a specified time period, depending on the file's significance. O43.3(3): The organization shall consider retaining for a specified period records of the procedures (persons in charge, time and date, and details of procedures) … (O26.3, O43.3(3), O45.5, O77.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Deciding on data classification/de-classification and archival/purging procedures for the data pertaining to an application as per relevant policies/regulatory/statutory requirements (Critical components of information security 11) c.2. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Any operator of a credit information business must preserve the following types of records for three years: addresses and names of clients or of institutions providing or exchanging information, details of activities requested and date of request, processing details of activities requested or detail… (Art 20(2), Korea Act Relating to Use and Protection of Credit Information)
  • To ensure data availability is aligned with the FI's business requirements, the FI should institute a policy to manage the backup data life cycle, which includes the establishment of the frequency of data backup and data retention period, management of data storage mechanisms, and secure destruction… (§ 8.4.2, Technology Risk Management Guidelines, January 2021)
  • A digital preservation policy is developed and implemented. (Security Control: 1510; Revision: 1, Australian Government Information Security Manual, March 2021)
  • A credit reporting agency must delete from an individual's credit information file maintained by the credit reporting agency any personal information of a kind referred to in paragraph 18E(1)(b) or (ba) within 1 month after the end of the maximum permissible period for the keeping of personal inform… (Part IIIA § 118F(1), Part IIIA § 118F(2), Australia Privacy Act 1988)
  • The auditor is required to retain all working papers associated with the audit for 7 years. Working papers in electronic form are considered to be retained only if they can be converted to a paper format. (Sched 1 ¶ 40, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • Is there a corporate policy on log retention and the centralised storage and management of log information? (Secure configuration Question 20, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • There may be statutory or contractual requirements regarding the documentation that must be observed, e.g. storage periods and levels of detail. Documentations only fulfil their purpose if they are drawn up and updated at regular intervals. Furthermore, the documentation must be identified and store… (§ 4.2 Bullet 5 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Policies and instructions with technical and organisational safeguards in order to avoid losing data are documented, communicated and provided according to SA-01. They provide reliable procedures for the regular backup (backup as well as snapshots, where applicable) and restoration of data. The scop… (Section 5.6 RB-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • If processing of any items listed Section 28(1)(b) to 28(1)(f) departs from what the Data Protection Commission or data protection officer was notified of, it must be recorded and kept for at least 3 years. (Art 28.4, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
  • Logs and documentation data must be kept for 3 years, unless expressly stated otherwise by law. Deviations of this law are permitted to the extent that it may be legitimately erased earlier or stored longer. (§ 14(5), Austria Data Protection Act)
  • Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation's security policy and regulatory requirements. (DS11.2 Storage and Retention Arrangements, CobiT, Version 4.1)
  • Call centers will need to ensure that an appropriate retention policy is implemented and maintained. (Pg. 8 ¶ 2, Information Supplement: Protecting Telephone-based Payment Card Data, Version 2.0)
  • Get and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year. (§ 10.7.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that policies and procedures include coverage for all storage of cardholder data. (§ 3.1.1.c, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the security policies and procedures to verify they include audit log retention policies. (Testing Procedures § 10.7.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the security policies and procedures to verify they include procedures for keeping audit logs for at least 1 year and keeping a minimum of 3 months available online for immediate use. (Testing Procedures § 10.7.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Obtain and examine security policies and procedures and verify that they include audit log retention policies and require audit log retention for at least one year. (§ 10.7.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must keep cardholder data storage to a minimum and disposed of when it is no longer needed. (§ 3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that policies and procedures include coverage for all storage of cardholder data. (§ 3.1.1.c Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must keep cardholder data storage to a minimum and disposed of when it is no longer needed. (PCI DSS Requirements § 3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? (3.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are there specific retention requirements for cardholder data? (3.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are data-retention and disposal policies, procedures, and processes implemented as follows: (3.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are there specific retention requirements for cardholder data? (3.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are data-retention and disposal policies, procedures, and processes implemented as follows: (3.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are data-retention and disposal policies, procedures, and processes implemented as follows: (3.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? (3.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Are there specific retention requirements for cardholder data? (3.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? (3.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • The software vendor should provide guidance to their customers on how to purge cardholder data after the data retention period defined by the customer and where the data to be purged is located. (§ 2.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine the data retention and disposal policies, procedures, and processes and interview personnel to verify processes are defined to include all elements specified in this requirement. (3.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Audit log retention policies. (10.5.1.a Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons? (PCI DSS Question 3.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Does all stored cardholder data meet the requirements defined in the data retention policy? (PCI DSS Question 3.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons? (PCI DSS Question 3.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Does all stored cardholder data meet the requirements defined in the data retention policy? (PCI DSS Question 3.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons? (PCI DSS Question 3.1(b), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Does all stored cardholder data meet the requirements defined in the data retention policy? (PCI DSS Question 3.1(e), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1 ¶ 1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: (3.2.1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A data management review should be performed and should, at a minimum, consider data retention and archiving and retention tools. (App A.4 (Recommendations for Data Management), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • All logging-generated data should be maintained for a defined time period after which the data should be destroyed. The retention period should be based on regulatory and audit requirements, corporate policies, the access being logged, and data storage constraints. (§ 3.4.5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The results from investigations should be retained for statistical purposes and trend analysis in accordance with the organization's retention policy. (Revised Volume 2 Pg 1-I-40, Protection of Assets Manual, ASIS International)
  • The management of documents should be supported by a document retention policy. (CF.03.02.02a, The Standard of Good Practice for Information Security)
  • The management of documents should be supported by a retention schedule. (CF.03.02.02b, The Standard of Good Practice for Information Security)
  • A document retention policy should be developed, which is supported by executive management. (CF.03.02.03a, The Standard of Good Practice for Information Security)
  • A document retention policy should be developed, which specifies employee obligations for document management and the consequences of non-compliance. (CF.03.02.03b, The Standard of Good Practice for Information Security)
  • A document retention policy should be developed, which covers the different formats of information that are subject to the policy (including paper-based and electronic documents). (CF.03.02.03c, The Standard of Good Practice for Information Security)
  • A document retention policy should be developed, which defines important terms (e.g., what constitutes a document and a record, and their respective lifecycles). (CF.03.02.03d, The Standard of Good Practice for Information Security)
  • A document retention policy should be developed, which explains how to back-up and archive information. (CF.03.02.03e, The Standard of Good Practice for Information Security)
  • A document retention policy should detail requirements for legal and regulatory compliance, including any relevant standards relating to retention that are to be used. (CF.03.02.04a, The Standard of Good Practice for Information Security)
  • A document retention policy should detail requirements for legal and regulatory compliance, including mechanisms for handling conflicting requirements (e.g., retention periods in different jurisdictions). (CF.03.02.04b, The Standard of Good Practice for Information Security)
  • A document retention policy should detail requirements for legal and regulatory compliance, including a process for dealing with legal discovery (e.g., requests for information held in a Document Management System). (CF.03.02.04c, The Standard of Good Practice for Information Security)
  • A document retention policy should be supported by a comprehensive document retention schedule, which contains the retention period for each type of document used by the organization (e.g., payroll records, legal correspondence, insurance policies, financial statements, or tax returns). (CF.03.02.05, The Standard of Good Practice for Information Security)
  • The Records Management process should include monitoring each record to ensure it complies with the organization's document retention policy and schedule (e.g., providing a notification when the retention period has ended). (CF.03.02.07b, The Standard of Good Practice for Information Security)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including legal and regulatory obligations (e.g., the minimum and maximum statutory length of time that privacy-related and financial informatio… (CF.03.01.05a, The Standard of Good Practice for Information Security)
  • The management of documents should be supported by a document retention policy. (CF.03.02.02a, The Standard of Good Practice for Information Security, 2013)
  • The management of documents should be supported by a retention schedule. (CF.03.02.02b, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be developed, which is supported by executive management. (CF.03.02.03a, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be developed, which specifies employee obligations for document management and the consequences of non-compliance. (CF.03.02.03b, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be developed, which covers the different formats of information that are subject to the policy (including paper-based and electronic documents). (CF.03.02.03c, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be developed, which defines important terms (e.g., what constitutes a document and a record, and their respective lifecycles). (CF.03.02.03d, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be developed, which explains how to back-up and archive information. (CF.03.02.03e, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should detail requirements for legal and regulatory compliance, including any relevant standards relating to retention that are to be used. (CF.03.02.04a, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should detail requirements for legal and regulatory compliance, including mechanisms for handling conflicting requirements (e.g., retention periods in different jurisdictions). (CF.03.02.04b, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should detail requirements for legal and regulatory compliance, including a process for dealing with legal discovery (e.g., requests for information held in a Document Management System). (CF.03.02.04c, The Standard of Good Practice for Information Security, 2013)
  • A document retention policy should be supported by a comprehensive document retention schedule, which contains the retention period for each type of document used by the organization (e.g., payroll records, legal correspondence, insurance policies, financial statements, or tax returns). (CF.03.02.05, The Standard of Good Practice for Information Security, 2013)
  • The Records Management process should include monitoring each record to ensure it complies with the organization's document retention policy and schedule (e.g., providing a notification when the retention period has ended). (CF.03.02.07b, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including legal and regulatory obligations (e.g., the minimum and maximum statutory length of time that privacy-related and financial informatio… (CF.03.01.05a, The Standard of Good Practice for Information Security, 2013)
  • The organization should create a retention policy for inappropriate usage investigative case material. All copies should be destroyed as specified in this policy. (Special Action 4.11, SANS Computer Security Incident Handling, Version 2.3.1)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obl… (BCR-12, Cloud Controls Matrix, v3.0)
  • Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations. (DSP-16, Cloud Controls Matrix, v4.0)
  • Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. (CIS Control 3: Data Protection, CIS Controls, V8)
  • Retain data according to the enterprise's data management process. Data retention must include both minimum and maximum timelines. (CIS Control 3: Safeguard 3.4 Enforce Data Retention, CIS Controls, V8)
  • The organization shall define how long at least one copy of obsolete controlled documents are kept. This is to ensure the medical device documents are available for at least the medical device lifetime, but not less than the retention period for any resulting record or as specified by regulatory req… (§ 4.2.3 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall maintain a copy of the system requirements, along with the rationale, decisions, and assumptions, throughout the lifecycle. (§ 6.4.2.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • An organization must assess the regulatory environment, business and accountability requirements and the risk in order to determine how long records should be stored. (§ 9.2, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • To determine how long to maintain record, a five stage analysis should be undertaken. Step one involves determining the legal or administrative requirements for maintaining records in the system. Step two is determining the uses of records within the system. For step three, links to other systems sh… (§ 4.2.4.3, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • An analysis of the organization's internal environment and external environment, the relationship with those environments, and the identification of business activities and business functions it performs is required to determine which records should be captured and how long they should be kept. (§ 4.2.4.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The legal requirements or administrative requirements for maintaining records should be determined, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The uses of the records in the system should be determined, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Links to other systems should be determined, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The broad range of uses should be considered, including identifying other stakeholders with legitimate or enforceable interests in preserving the record for longer than the internal users, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(d)(1), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The broad range of uses should be considered, including assessing the risks of destroying the record after routine, internal use of the record is finished, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(d)(2), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The broad range of uses should be considered, including considering what records and actions would be necessary to ensure business continuity due to the loss of or damage to records, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(d)(3), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The broad range of uses should be considered, including assessing the political, financial, social, or other positive gains from keeping the records after the organizational use is completed, in order to determine how long records are to be maintained. (§ 4.2.4.3 ¶ 1(d)(4), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The broad range of uses should be considered, including analyzing the balance between the non-financial gains and the costs of record retention, in order to determine how long records are to be maintained after organizational needs are met. (§ 4.2.4.3 ¶ 1(d)(5), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Retention periods should be allocated based on the total system evaluation, clearly stated, and the disposition triggers should be clearly identified. (§ 4.2.4.3 ¶ 1(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • retention and disposition. (§ 7.5.3 ¶ 2 f), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • retention and disposition. (7.5.3.2 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retention and disposition. (§ 7.5.3 ¶ 2 f), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The policy should cover the retention period for PII before its destruction after termination of a contract, to protect the cloud service customer from losing PII through an accidental lapse of the contract. (§ A.10.3 ¶ 7, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • An effective Records and Information Management program should include the establishment of a workable retention schedule for paper and Electronically Stored Information. (Comment 1.b ¶ 2 Bullet 1, The Sedona Principles Addressing Electronic Document Production)
  • An effective Records and Information Management program should address the retention requirements for e-mail, instant messaging, voicemail, and other communications. (Comment 1.b ¶ 2 Bullet 3, The Sedona Principles Addressing Electronic Document Production)
  • The organization must retain Electronically Stored Information and documents that may be relevant to current or reasonably anticipated litigation. (Comment 1.c ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • subject to subsections 16(2) and (3), preserve the data until the demand expires or is revoked; and (Section 15(6)(a), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • Data is maintained, stored, retained and destroyed according to the organization's data retention policy. (PR.IP-6.1, CRI Profile, v1.2)
  • Data is maintained, stored, retained and destroyed according to the organization's data retention policy. (PR.IP-6.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The automatic gathering and processing of personal data made for public safety purposes shall be limited to the needs of preventing imminent danger to public security, police functions or to fight crime, shall be stored in specific files set up for such purposes and shall be classified into categori… (Art 21, Mexico Federal Personal Data Protection Law, November 2005)
  • The organization should dispose of original, backup, archived, and personal copies of records in accordance with the destruction policy. (Table Ref 5.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use. (CIP-011-2 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-2, Version 2)
  • One or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber Security Incident that triggers activation of the recovery plan(s). Data preservation should not impede or restrict recovery. (CIP-009-6 Table R1 Part 1.5 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Does the procedure for managing information assets include data retention? (§ D.2.2.9, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Is there a records retention policy covering paper records in support of applicable regulations? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a records retention policy covering electronic records (including e-mail) in support of applicable regulations? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a records retention policy covering paper records in support of standards? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a records retention policy covering paper records in support of contractual requirements? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a records retention policy covering electronic records (including e-mail) in support of standards? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a records retention policy covering electronic records (including e-mail) in support of contractual requirements? (§ L.5, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • For cloud computing services, is there a data retention schedule? (§ V.1.37, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The accreditation or reaccreditation document should be maintained by the accreditation authority. (§ 3-7, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 422.504(d): A Medicare Advantage (MA) organization must maintain records, books, documents, and other evidence of their accounting procedures and practices for 10 years. These documents must be sufficient to accommodate periodic auditing; enable Centers for Medicare & Medicaid Services (CMS) to i… (§ 422.504(d), § 495.8(c)(2), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • Establish and maintain a data retention policy and supporting records schedule. (Entire document, Centers For Medicare & Medicaid Services (CMS) Records Schedule)
  • The organization must implement retention procedures for all CMS sensitive information. (CSR 1.3.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must retain compliance evidence for not less than 2 years in a form that is capable of accurately retaining and reproducing information. If the organization is being investigated, it must retain the records pertaining to the action until final disposition, unless disposal is allowed… (§ 229.21(g), 12 CFR Part 229 Availability of Funds and Collection (Check Clearing for the 21st Century))
  • Telemarketers and sellers are required to keep, from the date a record is produced to the passing of 24 months, the following info: advertising and promo materials, contact information for prize recipients if they win something worth $25 or more, contact information for each customer as well as what… (§ 310.5(a), 16 CFR Part 310, Telemarketing Sales Rule (TSR))
  • The Records Management Application shall be able to reschedule the disposition of records and/or record folders during any lifecycle phase, if an authorized individual changes the disposition instructions, including changing the Cutoff criteria and the retention period. (§ C2.2.2.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c2.2.2.6 (changing the disposition instructions) shall be accomplished by a records manager (editing the disposition instructions and manually executing the rules to reschedule). (Table C2.T5 Requirement C2.2.2.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The end users' non-disclosure forms should be treated and retained as official records. (PRNK-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Records shall be kept for a time period equal to the design and expected life of the device, but not less than 2 years from the commercial distribution release date. (§ 820.180(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Required documentation, listed in § 164.316(b)(1), shall be kept for 6 years from the creation date or the date it was last in effect, whichever is later. (§ 164.316(b)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Documentation required by § 164.530(j)(1) must be retained for 6 years from the creation date or the date it was last in effect, whichever is later. (§ 164.530(j)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Establish and maintain a data retention policy and supporting records schedule. (Entire document, Department of Health and Human Services Records Management Handbook, Appendix B - General Records Schedule, V 1.2)
  • The Records Officer must ensure signed forms and related documentation, for personnel departures, are kept in a centralized file for at least 10 years in the Records Management or Personnel office. (Ch 10 (Responsibilities).c, Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • Access privilege change logs shall be kept for at least 1 year or according to the agency's record retention policy, whichever is greater. (§ 5.5.2.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Understands where data reside and maintains the effectiveness of controls over that data. (App A Objective 3:5c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Archived data should be retained in accordance with the retention requirements. System documentation should be archived in case a system needs to be reinstalled into the production environment. (Pg 32, FFIEC IT Examination Handbook - Development and Acquisition)
  • Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hard… (Exam Tier II Obj I.5, FFIEC IT Examination Handbook - Operations, July 2004)
  • Periodically review your data retention policy to minimize the unnecessary retention of data; (§ 314.4 ¶ 1(c)(6)(ii), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Records of the requests by or to the organization for Federal Tax Information must be maintained for 5 years. The organization should retain inspection reports for a minimum of 3 years. (§ 3.1, § 6.3.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • (§ 5.01(1), IRS Revenue Procedure: Record retention: automatic data processing, 98-25)
  • Do the policies identify the official records and the key operational records that should not be destroyed? (IT - Compliance Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the … (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for how long each type of log data must or should be preserved. (§ 4.2 Bullet 3, Guide to Computer Security Log Management, NIST SP 800-92)
  • The ability for containers to be deployed and destroyed automatically based on the needs of an app allows for highly efficient systems but can also introduce some challenges for records retention, forensic, and event data requirements. Organizations should make sure that appropriate mechanisms are i… (6.5 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Minimize the amount of data stored on a client computer. Critical user data should be stored on central servers that are backed up as part of an organization's enterprise backup strategy, rather than on the client computer hard drive. (§ 5.2.1 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Servers normally have much larger amounts of data that need to be maintained and secured. It is recommended in environments with multiple servers, that storage not be dedicated to each server but rather centralized for use by multiple servers. SAN and NAS are common multi-server storage systems. Cen… (§ 5.2.2 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must keep audit logs for an organizationally defined period to meet retention requirements and to support after-the-fact security incident investigations. (SG.AU-10 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop policies and procedures that details how organizational information is retained. (SG.ID-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish retention policies and procedures for electronic data and paper data. (SG.ID-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Licensees must retain all records and the supporting technical documentation required to satisfy this section's requirements until the license for which the records were developed has been terminated by the Nuclear Regulatory Commission. Superseded portions of records must be retained for at least 3… (§ 73.54(h), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • The organization should develop a policy for the retention of documentation. (Pg 22, Pg 30, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • The organization should establish document retention policies or review for adequacy existing document retention policies for all types of documents (paper and electronic). (§ I.A, App A § IV.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • The organization should create a policy for retaining records associated with an audit or review for 7 years. Any documents that are created, sent, or received and contain opinions, financial data, or conclusions about the audit or review should be included in the policy. (§ 210.2-06(a)(1), § 210.2-06(a)(2), 17 CFR Part 210.2-06, Retention of Audit and Review Records)
  • When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. Required notification cannot be considered public record. (§ 45.48.010(c), Alaska Personal Information Protection Act, Chapter 48)
  • When a breach investigation or consultation with federal, state, and local agencies responsible for law enforcement concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the doc… (§ 817.5681(10), Florida Statutes, Section 817.5681, Breach of security concerning confidential personal information in third-party possession)
  • When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. (§ 715C.2.6, Iowa Code Annotated, Section 715C, Personal Information Security Breach Protection)
  • If the organization determines that notification is not required based on the security breach investigation, the organization must maintain documents on its determination for 3 years. (§ 14-3504(b)(4), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • If a breach investigation concludes that a risk of identity theft or other fraud to a consumer is not reasonably likely to occur and therefore notification is not required, the organization must document the determination in writing and maintain the documentation for 5 years. (§ 407.1500.2(5), Missouri Revised Statutes, Chapter 407 Merchandising Practices. Section 407.1500)
  • When a breach investigation concludes that the breach has not and will not likely result in harm to any individuals, the organization must document the non-notification requirement in writing and maintain the documentation for 5 years. (§ 56:8-163.a, New Jersey Permanent Statutes, Title 56, Security of Personal Information)
  • data governance, classification and retention; (§ 500.3 Cybersecurity Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)