294
A Practical Guide to Security Assessments
appropriate period. Out of this conversation, you will probably also learn
about what the company does about data retention. In assessing data reten-
tion, the data identified based on this question should be compared to the
data retention policy (if there is one) to determine whether any critical data
has not been addressed. If a data retention policy exists, this comparison
will show you whether the existing policy is adequate. The second part of
the question regarding the potential impact will give a sense for the criti-
cality and priority as it relates to data retention.
Risk:
Not applicable. This question determines the scope and importance
of data retention. The potential impacts identified in this question will give
an indication of the criticality of data retention in the company. The answer
to this question will help formulate recommendations and associated pri-
oritization as they relate to data retention.
Client Response:
6. Are data owners accountable for specifying the data retention period?
Guidance:
Security, like any process, must have clear roles and responsi-
bilities to help ensure that the process is done properly. In the case of data
retention, the retention period must be known before steps can be taken to
store data for that period. Therefore, data owners must first specify the re-
tention period for their data. Ideally, there should be a mechanism by
which data owners inform IT of the retention period for their electronic
data. (Physical data will have to be dealt with by another department.)
Using this information, IT can then retain the data for the appropriate
period. As you assess the process, you may find that IT is completely
responsible for retention — i.e., determining the retention period and taking
steps to retain the data. It is also possible that IT is making certain assump-
tions for retention periods or just indefinitely retaining data because they
do not know that a data retention policy exists. The company should under-
stand that data owners are ultimately accountable for retention and that it
is not an IT issue. Ideally, all data owners should follow a documented data
retention policy. In addition, there is cost associated with retention, which
should be factored in when determining data retention periods.
Risk:
If data owners are not explicitly responsible for specifying the reten-
tion period for their data, a risk exists that data might be retained for either
too long or too short a time. This can lead to unnecessary costs related to
storing data for too long or operational and/or legal concerns related to stor-
ing data for too short a time. This issue becomes increasingly significant
as more data is generated.
AU1706_book.fm Page 294 Wednesday, July 28, 2004 11:06 AM