Making Data Retention Managable and Effective

Data Retention (DR) is important to the business in order to assist with history of data, recovery, client obligations and compliance/legal requirements.

An effectively managed program is critical to the success of the organization. The inverse suggests that a program not well-managed can be the bane of existence.


Click here to contact us today for a no-cost, no-obligation consultation unique to your strategic Data Retention plan! Make security the way you do business!
image

An effective DR program will first define “we are we keeping this data because ______.” The DR records (documented) should reflect the specific purpose a data set is being held. The reason(s) should be reviewed periodically to determine if retention is still a valid requirement. Next, if valid reason(s) exist for the retention of data, the period of retention should be documented and reviewed periodically. Data sets should be reviewed to ensure retention obligations are being met as well as data is not being held longer than the retention period. Finally, the DR program should document, define and identify where the data sets are retained. Retention sites, whether managed by the organization or a third-party must meet or exceed obligations required of the data set. The location(s) must also be reviewed periodically for current relevance.

It is also important to understand the nature of the retained data set. For example, think in terms of “hot or cold.” PCI DSS compliance requires SIEM logs to be held for a period of one-year. Longer periods of retention may be maintained, but are not required for PCI DSS. In the requirement, the SIEM data must be available or “hot” so queries and reports can be run against it. Now, think about data backups for recovery as cold storage. Is the SIEM data on tapes or digital? Is it held in the organization’s facilities or third-party? Is data in either of those locations inventoried (documented) to reflect SIEM data held? Is this sensitive data from the SIEM physically restricted to access by only authorized personnel, and how is that managed and documented? What if an unauthorized individual gets ahold of the data, is the data retained in a format to render it useless?

An effective and secure Data Retention program takes lots of twists and turns. While this data is not in front of the organization on a daily basis, it is a prime target for malicious activity. But, with guidance and planning the DR program can be managed to make it effective and secure.


Contact Digital Assurance Advisors to startup, manage or audit your program today. Your initial consultation is free! Contact us today!