Back

Define each system's preservation requirements for records and logs.


CONTROL ID
00904
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management policies., CC ID: 00903

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a data retention program., CC ID: 00906
  • Establish, implement, and maintain storage media retention procedures., CC ID: 16277
  • Determine how long to keep records and logs before disposing them., CC ID: 11661
  • Define which documents and records the organization may capture., CC ID: 00905
  • Establish, implement, and maintain storage media disposition and destruction procedures., CC ID: 11657


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In order to cope with the tampering and destruction of programs caused by unauthorized programs such as computer viruses and damage due to troubles and disasters, it is necessary to acquire backup copies of important program files, such as a production program, and to define the storage and manageme… (P41.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The audit trails need to be stored as per a defined period as per any internal/regulatory/statutory requirements and it should be ensured that they are not tampered with. (Critical components of information security 11) c.7., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Before the recordkeeping project's cost-benefit analysis can be conducted, that the business purpose and overall business objectives have to be understood and accounted for. (App 10, Pg 3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Is the documented information controlled in a way that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the organization for the BCMS? (Support ¶ 6, ISO 22301: Self-assessment questionnaire)
  • Clinical records or certificates of attendance at birth that contains personal data that identifies the mother, who has objected, may be issued to any person who is interested in the data after 100 years have passed since the document was drawn up. During this 100 year period, requests for access ma… (§ 93, Italy Personal Data Protection Code)
  • You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. (C1.b ¶ 1, NCSC CAF guidance, 3.1)
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? (3.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Coverage for all locations of stored account data. (3.2.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Limited to that which is needed for a legitimate issuing business need and is secured. (3.3.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine files and system records on system components where account data is stored to verify that the data storage amount and retention time does not exceed the requirements defined in the data retention policy. (3.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are there specific retention requirements for cardholder data? (PCI DSS Question 3.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are there specific retention requirements for cardholder data? (PCI DSS Question 3.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are there specific retention requirements for cardholder data? (PCI DSS Question 3.1(c), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Coverage for all locations of stored account data. (3.2.1 ¶ 1 Bullet 1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 ¶ 1 Bullet 3, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 ¶ 1 Bullet 4, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for all locations of stored account data. (3.2.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for all locations of stored account data. (3.2.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for all locations of stored account data. (3.2.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limited to that which is needed for a legitimate issuing business need and is secured. (3.3.3 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Coverage for all locations of stored account data. (3.2.1 Bullet 1, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. (3.2.1 Bullet 3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. (3.2.1 Bullet 4, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Information and diagnoses of injuries/illnesses must be inputted into the injury/illness log within 6 working days, and the log must be kept current to within 45 days. The logs and records must be maintained for 5 years and must be available to personnel from the Department of Labor and the Departme… (Pg 29-I-16, Protection of Assets Manual, ASIS International)
  • An analysis of the organization's business and accountabilities should be used to make decisions on which documents to capture and which to discard. (§ 4.3.2 ¶ 2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • When deciding how to store records, the amount of time they must be kept should be considered. Records can be stored on microfiche, digital media, or paper. If digital media is used, procedures should be in place to ensure the media can be read in the future due to possible technology changes. (§ 15.1.3, ISO 27002 Code of practice for information security management, 2005)
  • storage and preservation, including preservation of legibility; (7.5.3.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • An effective Records and Information Management program should include helping business units identify the business records that they need to keep. (Comment 1.b ¶ 2 Bullet 2, The Sedona Principles Addressing Electronic Document Production)
  • The organization should establish a team to help make decisions about the preservation of Electronically Stored Information. Team members may include legal counsel, end-user representatives, Information Security personnel, Records and Information Management personnel, and Information System professi… (Comment 2.d ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • The organization should preserve expert witness drafts and materials. (Comment 3.d ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • The organization should generally be allowed to continue having the computer systems overwrite information, if it is incidental to the operation of the system and not a deliberate attempt to destroy evidence in anticipation of or in connection with an investigation, unless it overwrites potentially … (Comment 5.a ¶ 3, The Sedona Principles Addressing Electronic Document Production)
  • Components should provide sufficient audit storage capacity, taking into account retention policy, the auditing to be performed and the online audit processing requirements. Components may rely on the system into which they are integrated to provide the majority of audit storage capacity. However, t… (§6.11.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed. (Section 4.B ¶ 1(4), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The required records to be kept include export control documentation, memoranda, notes, contracts, correspondence, financial records, bid invitations, restrictive trade practices, and records of other transactions described in § 762.1(a). Records must be maintained in the form they are received or … (§ 762.2(a), § 762.4, US Export Administration Regulations Database)
  • All records must be maintained for 5 years from the expiration of the license or the date of the transaction. An export license is valid for 4 years. It will expire when the quantity or value approved has been shipped or the expiration date is reached, whichever comes first. Unused, expended, expire… (§ 122.5(a), § 123.21, § 125.6, § 130.14, US The International Traffic in Arms Regulations, April 1, 2008)
  • All sellers and telemarketers must keep for 24 months from the date the record is produced, the following records relating to their activities: any unique advertising and promotional material, the name and address of each prize recipient, the name and last known address of each customer, goods or se… (§ 310.5, 16 CFR Part 310, Telemarketing Sales Rule (TSR))
  • The airport operator must maintain all employment investigation files for 180 days after an individual's unescorted access authority is terminated. After this time the record must be destroyed. The airport operator must designate an individual to maintain and destroy criminal record files. (§ 1542.209(k), § 1542.209(o), 49 CFR Part 1542, Airport Security)
  • The Records Management Application shall only allow authorized individuals to define the Cutoff criteria and the retention period for each lifecycle phase. (§ C2.2.2.3.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall only allow authorized individuals to define the Cutoff criteria and the interim transfer component or accession location component for each lifecycle phase. (§ C2.2.2.3.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall verify the date entered into the "declassify on" field is no more than the mandated time period from the publication date. (§ C4.1.8, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Records shall be kept for a time period equal to the design and expected life of the device, but not less than 2 years from the commercial distribution release date. (§ 820.180(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The organization may delete the electronic version of the records, as long as the predicate rule requirements are satisfied and the content and meaning of the records are preserved and archived. (§ III.C.5 ¶ 3, Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application, August 2003)
  • All Letters of Approval and Authorization received from the Department of Homeland Security and all results from audits and inspections must be kept for at least 3 years. The Site Security Plans, Security Vulnerability Assessments, Top-Screens, and other correspondence submitted to the Department of… (§ 27.255(a)(7), § 27.255(b), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • Records accepted by the Archivist of the United States for processing, servicing, and storage in accordance with § 3103 of Title 44 shall be considered maintained by the agency that deposited the records and will be subject to this section. The Archivist of the United States shall not disclose the … (§ 552a(l), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • When CHRI is stored, agencies shall establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of the information. These records shall be stored for extended periods only when they are key elements for the integrity and/or utility of case files… (§ 4.2.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Update and retention cycle frequencies (App A Objective 6:3e Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implement appropriate backups and sufficient documentation and retention periods for each iteration of data backup. (App A Objective 6:3b, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The original document should not be destroyed until it has been verified that the scanned image is readable. (Pg 32, Exam Tier I Obj 9.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Storing data outside of the container, so that data do not have to be re-created when updating and replacing containers. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 Sub-sub-bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Any machine-sensible records containing financial taxpayer information must be retained so long as the contents may become material in the administration of any internal revenue law. For the purposes of discovery, procedure 97-22 requires that any hardcopy books and records stored electronically mus… (§ 5.01, IRS Revenue Procedure: Record retention: automatic data processing, 98-25)
  • The organization should ensure all media classifications have a sanitization method associated with them and the processes are documented. (§ 4.3, § 4.6, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Media life. Each type of medium has a different use and storage life beyond which the media cannot be relied on for effective data recovery. (§ 5.1.2 ¶ 5 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Minimize the amount of data stored on a client computer. Critical user data should be stored on central servers that are backed up as part of an organization's enterprise backup strategy, rather than on the client computer hard drive. (§ 5.2.1 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Senior management should define the policies and procedures for sanitizing electronic media and hardware. The policies and procedures should include the following, at a minimum: media should be purged before it is released to personnel who do not have the authorization to access the information cont… (§ 6.a, US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (Section 27-62-4(b)(4), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Define, and periodically reevaluate, a schedule for retention of nonpublic information and a mechanism for the destruction of such information when such information no longer is needed. (Part VI(c)(2)(B), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when retention of the nonpublic information is no longer needed. (§ 8604.(b)(4), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (§431:3B-202(a)(4), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a procedure for its destruction when no longer needed. (Sec. 16.(b)(4), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for the destruction of nonpublic information if retention is no longer necessary for the licensee’s business operations, or is no longer required by applicable law. (507F.4 2.d., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (§2504.B.(4), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when it is no longer needed. (§2264 2.D., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (§ 60A.9851 Subdivision 2(4), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (§ 83-5-807 (2)(d), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (§ 420-P:4 II.(d), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Define and periodically re-evaluate a schedule for retention of nonpublic information and a mechanism for destruction if no longer needed. (26.1-02.2-03. 2.d., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (Section 3965.02 (B)(4), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed. (SECTION 38-99-20. (B)(4), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Define and periodically reevaluate a schedule for retaining nonpublic information and a mechanism for the destruction of nonpublic information when the information is no longer needed; (§ 56-2-1004 (2)(D), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction. (§ 38.2-623.B.4., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Establish and periodically reevaluate a schedule for retention and disposal of nonpublic information and establish a mechanism for the destruction of nonpublic information that is no longer needed. (§ 601.952(1)(c), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)