291
Appendix E
Data Retention
Data retention requirements define the retention period for data. These requirements
are developed by management and are driven by the needs of the business from
various perspectives, which are discussed below. Data retention is intertwined with
data classification requirements and is in some ways a subset of the Data Classification
policy — i.e., certain retention requirements may be tied into data classifications.
Some of the key factors to consider when developing data retention requirements
include:
Historical —
Historical data is important in analyzing trends in the busi-
ness over time. Trend analysis can be done for a number of different
business functions including finance, manufacturing, and others. For
example, a manufacturing company might analyze production data over
time for planning purposes and to identify areas of improvement. The
amount of historical data retained for these purposes depends on the spe-
cific requirements of the business.
Legal and regulatory —
Legal and regulatory requirements from govern-
mental bodies mandate retaining records and force companies to ensure
that certain processes are in place to accommodate this. An example is
the requirements by the Securities and Exchange Commission (SEC) and
the Internal Revenue Service (IRS), which require some companies to retain
certain financial records for a period of time. Legal and regulatory reten-
tion requirements are driven by forces outside the company and thus, you
have no control over them. The company’s legal counsel should work with
the appropriate individuals in the business to ensure that legal- and reg-
ulatory-related data retention requirements are properly defined and met.
Security and audit —
For both security analysis and audit purposes, certain
data is retained from various systems including intrusion detection, fire-
walls, key servers, etc. Some of this data is used by auditors, and other
data is retained for future review in the event of a security incident, system
crash, or other problem. These requirements are driven by the information
security program and depend largely on how management views security.
A formal data retention policy provides guidance to the business on how long
data should be retained to meet operational requirements and be in compliance with
regulatory requirements. Although information technology (IT) plays a major role
AU1706_book.fm Page 291 Wednesday, July 28, 2004 11:06 AM
292
A Practical Guide to Security Assessments
in data retention, the actual requirements must be driven by the business. Therefore,
it is critical to involve different groups such as human resources (HR), legal, and
finance when reviewing data retention.
This questionnaire is a starting point for what should be asked during a security
assessment. These questions should be modified based on the company’s specific
business requirements.
1. Is there a formal data retention policy that is easily accessible to employees?
Guidance:
A formal data retention policy defines the retention require-
ments. The policy should clearly define categories of data and their reten-
tion periods. In a security assessment, the policy should be evaluated to
ensure that all critical data is addressed, retention periods are updated, and
that ownership of determining the retention period rests with the data owner.
The data retention policy should also be readily accessible (e.g., on an
intranet site) so personnel can refer to it as they determine the retention
period of data they own. If personnel cannot readily access the policy, they
might not take the time to find it or ask someone and as a result not be in-
formed about the policy.
Risk:
Without a formal data retention policy, data may not be retained in
accordance with operational, legal, or regulatory requirements. If the pol-
icy is not accessible, personnel may not know about it or follow it. This
will result in a policy that is not enforceable.
Client Response:
2. Are procedures in place to ensure that data is retained for the required
retention period?
Guidance:
With data retention, its important for organizations to proac-
tively check for compliance, as many of the retention periods are driven by
legislation. A documented process of how data is retained for the appropri-
ate retention period will help ensure consistent data retention practices and
can be used as a basis for evaluating the retention process.
Risk:
The risks associated with not having procedures in place include:
Limited ability to enforce good data retention practices
Inconsistent data retention practices
Data not being retained for the appropriate periods, which can lead to
operational as well as regulatory impacts
Client Response:
AU1706_book.fm Page 292 Wednesday, July 28, 2004 11:06 AM
Appendix E
293
3. Have any incidents occurred related to not retaining data for an appro-
priate period of time?
Guidance:
Typical incidents could include the inadvertent destruction of
electronic files that should have been retained. With these incidents, the
question is whether defining retention requirements would have minimized
the chance of that data being destroyed. The specific security incident(s),
if any, should be evaluated based on that criterion.
Risk:
Not applicable. This question is to gain some knowledge of any in-
cidents and how they were handled.
Client Response:
4. Has the data retention policy been developed or approved by the relevant
functional areas of the company including human resources, legal,
finance, and other departments as appropriate?
Guidance:
Data retention requirements are primarily driven by personnel
outside the IT department, especially when dealing with regulatory and audit
requirements. Because of the legal and operational ramifications related to
data retention, it is critical that all relevant parties have reviewed and ap-
proved the policy. At the minimum, the HR, legal, and finance departments
should be involved in the development and review of the data retention
policy.
Risk:
If the relevant functional areas did not help develop or approve the
data retention policy, there is a risk that the data retention policy does not
meet the legal or regulatory and operational retention requirements of the
business.
Client Response:
5. What data is currently retained and what would the impact to the business
be if the data were not retained?
Operational
— e.g., manufacturing data, financial data
Legal and regulatory
— e.g., financial reporting requirements
Audit
— e.g., system logs
Guidance:
This question is to learn about the extent to which data is
retained and what the impact would be if it were not retained for the
AU1706_book.fm Page 293 Wednesday, July 28, 2004 11:06 AM
294
A Practical Guide to Security Assessments
appropriate period. Out of this conversation, you will probably also learn
about what the company does about data retention. In assessing data reten-
tion, the data identified based on this question should be compared to the
data retention policy (if there is one) to determine whether any critical data
has not been addressed. If a data retention policy exists, this comparison
will show you whether the existing policy is adequate. The second part of
the question regarding the potential impact will give a sense for the criti-
cality and priority as it relates to data retention.
Risk:
Not applicable. This question determines the scope and importance
of data retention. The potential impacts identified in this question will give
an indication of the criticality of data retention in the company. The answer
to this question will help formulate recommendations and associated pri-
oritization as they relate to data retention.
Client Response:
6. Are data owners accountable for specifying the data retention period?
Guidance:
Security, like any process, must have clear roles and responsi-
bilities to help ensure that the process is done properly. In the case of data
retention, the retention period must be known before steps can be taken to
store data for that period. Therefore, data owners must first specify the re-
tention period for their data. Ideally, there should be a mechanism by
which data owners inform IT of the retention period for their electronic
data. (Physical data will have to be dealt with by another department.)
Using this information, IT can then retain the data for the appropriate
period. As you assess the process, you may find that IT is completely
responsible for retention — i.e., determining the retention period and taking
steps to retain the data. It is also possible that IT is making certain assump-
tions for retention periods or just indefinitely retaining data because they
do not know that a data retention policy exists. The company should under-
stand that data owners are ultimately accountable for retention and that it
is not an IT issue. Ideally, all data owners should follow a documented data
retention policy. In addition, there is cost associated with retention, which
should be factored in when determining data retention periods.
Risk:
If data owners are not explicitly responsible for specifying the reten-
tion period for their data, a risk exists that data might be retained for either
too long or too short a time. This can lead to unnecessary costs related to
storing data for too long or operational and/or legal concerns related to stor-
ing data for too short a time. This issue becomes increasingly significant
as more data is generated.
AU1706_book.fm Page 294 Wednesday, July 28, 2004 11:06 AM
Appendix E
295
Client Response:
7. Is data properly destroyed after the retention period?
Guidance:
Data destruction is a significant issue when dealing with sen-
sitive data. After the retention period, data should be destroyed unless there
is a good business reason to maintain it. If data is destroyed internally,
steps should be taken to ensure proper destruction of data. For electronic
data, drives should be overwritten according to best practice standards. If
data is destroyed externally using third-party services, you must ensure
that due diligence was done in selecting the vendor and that appropriate
contracts (approved by legal counsel) are in place with the vendor to help
ensure that physical data is appropriately destroyed. Ideally, third parties
should provide some proof or verification that data was destroyed. If em-
ployees are destroying paper documents, they should be educated to shred
documents with sensitive information.
Risk:
The risk associated with data not being destroyed properly is the in-
appropriate disclosure of sensitive or confidential information, which can
lead to legal issues or damage to the reputation of the company.
Client Response:
AU1706_book.fm Page 295 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.32.230