CISSP Asset Retention – Bk2D2T5

Asset Retention In this topic explain retention, establishing information governance and retention policies with example and review an organization’s sample policy etc.

Module Objectives

1. Understand asset retention and how retention policies are driven by organizational requirements.
2. Explain the reasons that drive data and records retention, including compliance or organizational requirements.
3. Understand the issues associated with long-term storage of assets.

Retention – Introduction

Data retention, which is sometimes also referred to as records retention, is defined as the continued and long-term storage of valuable assets driven by compliance requirements or corporate requirements.

Companies are required to comply with legal and regulatory legislation in retaining assets, especially information and records. Each company should have those requirements clearly addressed and expressed in a retention policy that usually is accompanied by a retention schedule.

This will then provide the basis for how long to keep data and assets around and also when they should be securely destroyed.

Establishing Information Governance and Retention Policies

To understand retention requirements, we need to understand the various types of assets, such as data and records, that may have retention needs. As part of proper asset governance, the establishment of effective asset archiving and retention policies needs to be done. These are the issues and factors to consider:

• Understand where the data exists: The enterprise cannot properly retain and archive data unless knowledge of where data resides and how different pieces of information relate to one another across the enterprise is available and known.
• Classify and define data: Define what data needs to be archived and for how long, based on business and retention needs that are driven by laws, regulations, and corporate requirements related to goals and objective.
• Archive and manage data: Once data is defined and classified, the archiving of that data needs to be done appropriately, based on business access Manage that archival data in a way that supports the defined data retention policies but at the same time allows authorized and timely access.

Building Effective Archiving and Data Retention Policies

To build an effective overall archiving and data retention strategy, consider the following guidelines:

1. Organizations need to involve the most important stakeholders in the process of aligning the organizational goals and objectives, with the legal requirements for the asset retention policies. This obviously needs to include the legal function, compliance, privacy, technology, security, and possibly others. Once the meaningful policies are developed, based on requirements, the supporting technology infrastructure needsto be implemented to address the policies. Define clear lines of accountability and responsibility in guiding all stakeholders in maximizing how they work together.
2. Establish common objectives for supporting archiving and data retention best practices within the Understand the best practices that exist out there, especially in the same industry or in companies having similar goals and objectives. Make sure stakeholders are educated and provided with the right skills to manage the requirements for access to assets.
3. On a regular basis, monitor, review, and update the asset retention policies and archiving procedures. Continue to improve the entire process to support your ongoing business objectives for providing appropriate service levels while supporting retention compliance and policy requirement.

Creating a Sound Record Retention Policy

Fundamentally, there are some basic steps that can be useful in guiding an organization in developing an effective asset retention policy:

1. Evaluate legal and regulatory requirements, litigation obligations, and business needs.
2. Classify assets and records.
3. Determine retention periods and defensible destruction procedures and methods.
4. Draft asset retention policy.
5. Provide training, awareness, and education to support policy.
6. Audit retention and destruction policy and procedures.
7. Periodically review policy and procedures.
8. Document policy, implementation, procedures, training, awareness, and education and audit result.

For every type of asset, the organization should determine the proper retention period through involvement with appropriate stakeholders by taking into consideration laws, regulations, and corporate requirements. As a result, certain assets may have very long retention periods. Other assets may have short retention requirements, or possibly no retention requirement at all, such as junk mail. Regardless, the retention periods should be understood by all stakeholders so that the requirements can be addressed properly.

The organization should then draft its record retention policy based on the requirements that are fully understood. The policy should outline the classification of records, retention, and destruction schedules, parties responsible for retention and destruction, and the correct procedures to be used for important tasks such as defensible destruction. The justification needs to discuss the business reasons for retention periods of records and destruction of others.

Training, awareness, and education must be part of any retention policy implementation. Every employee must be aware of the importance of retaining records in accordance with the policy but also have the skills and knowledge to be able to do it properly. The policy needs to be clear that any piece of information, regardless of origin or format is covered by the policy. As the security function operates in a support role, the security professional has responsibility for supporting the organization in accurately assessing and measuring the training being delivered to support the retention policy. This provides assurance that the policy and how it is implemented is actually effective.

Equally important is the notion that individual employees should not destroy assets and records, unless they are records for which the policy specifically permits. A record retention policy provides guidance to the organization so that it understands the importance of training employees as soon as the record retention policy has been put into effect. That includes new employees as part of new-hire training, but it should also include a process for continuing education for existing employees as required.

A record retention policy should require periodic audits to ensure that records are being retained and destroyed appropriately, according to the policies and procedures. Paper files and electronic storage media should be checked to ensure that records are not retained past their scheduled destruction dates. Other requirements for assurance may include addressing records on other types of media.

In addition, the issue of data being shared outside of the organization with partners, consultants, and other third parties must also be considered by the security professional as this data needs to be subjected to similar controls as inside the organization.

A record retention policy may need to be updated on a regular basis. This might be because the organization’s business need to capture and process new information and records may evolve over time. New laws or regulations governing record retention may apply to the organization.

Laws or regulations that already exist may be changed or in some cases repealed. Constant monitoring of the retention systems may show that records need to be categorized differently or that other alterations would be beneficial. Any changes in the policy should be accompanied by appropriate training and awareness.

It is crucial that an organization documents all aspects of record retention policy implementation. The policy itself must be effective   in how it is written, communicated, and understood to all those that are subjected to it. As well, the policy should be accompanied by assurance mechanisms to show training, awareness and education efforts, auditing processes and results, and record destruction schedules and actions.

Example

The data retention policy below outlines how Company “X” operates with regard to data storage, retention, and destruction. It pays particular attention to the requirements laid down in the UK DPA. We will use it as an example.

Related Product : ISO 27701 Lead Auditor Training & Certification

Review an Organization’s Sample Policy

INSTRUCTIONS

Working with a partner, review the following sample policy. For your assigned section, note your ideas about why each aspect of the policy is in place or the risks to the organization if the policy is not implemented. Be prepared to share your thoughts with the group.

Key Principles

These are the key principles of this policy:

1. Data must be stored securely and appropriately having regard to the sensitivity and confidentiality of the data.
2. Appropriate measures are put in place to prevent unauthorized access and processing of the data, or accidental loss or damage to the data.
3. Data is retained for only as long as necessary.
4. Data is disposed of appropriately and securely to ensure the data does not fall into the hands of unauthorized personnel.

Storage

1. Data and records are stored securely to avoid misuse or loss.
2. Any data file or record that contains personal data or personal sensitive data is considered as confidential.

Examples of How We Approach Storage

1. We only use secure data centers that prevent unauthorized physical access to our hardware.
2. We only use our own hardware; we do not rent or share servers.
3. Access to the hardware and maintenance is restricted to appropriately trained and authorized Company “X” employees.
4. Only employees who are required to assist in meeting our obligations in providing services have access to the data. These employees have a full understanding of the obligations and their duty of confidentiality and the care required in the handling of the data.
5. We password protect all databases.
6. We encrypt data transferred between our web servers and a client’s browser, using reputable SSL certificates to a maximum of 256 bits with initial key exchange at 2048 bits. The actual level on transfer depends on the capability of the user’s browser.
7. We do not keep the Personal Data or Sensitive Personal Data on any laptop or other removable In the event Personal Data or Personal Sensitive Data had to be stored on a laptop or removable drive, then the data would be encrypted to a level in line with industry best practice and standards available at that time.
8. Our secure data centers are located in X and We do not disclose the exact location on this public document because by doing so in part may compromise security.
9. We do not and will not transfer Personal Data or Personal Sensitive Data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

Retention

The DPA requires that personal data processed for any purpose “shall not be kept for longer than necessary for that purpose.” In terms of the data stored, we regard the following aspects to be personal:

1. A mobile phone number
2. First and last name
3. Customer identification number
4. Content of the communications sent and received

The maximum period of retention is regarded as five years. If there is no communication sent to or received from a user in five years, then all personal data in regard to that user will be deleted. No data file or record will be retained for more than five years after it is closed unless a good reason can be demonstrated.

Destruction and Disposal

All information of a confidential or sensitive nature must be securely destroyed when no longer required. The procedure for the destruction of confidential or sensitive records is as follows:

1. Electronic files are deleted in such a way that they cannot be retrieved by simply undoing the last action or restoring the item from the Recycle Bin.
2. Destruction of backup copies is also dealt with in the same manner.
3. Prior to disposal, data storage devices are wiped to the standards defined by the NIST SP 800-88 Revision 1, Guidelines for Media Sanitization.

Framing the Conversation

The sample data retention policy provided above helps frame the conversation with regard to retention in the enterprise. Without a clearly written policy that can be communicated to all employees, implemented, monitored for effectiveness, managed for compliance, and audited for assurance, an organization is not able to safeguard the enterprise and ensure that proper processes are being followed with regard to asset management, including retention requirements.

By classifying these objects, you are able to partner with the enterprise and can begin to define the rules for managing them at different stages in the information lifecycle.

Important Considerations

Questions to consider

1. Who needs access to archived data and why? How fast do they need it?
2. Do access requirements change as the archives age?
3. How long do we need to keep the archived data? When should it be disposed of or deleted?

Best Practices

To effectively define and classify business information for retention and disposal, consider the following best practices.

1. Promote cross-functional ownership. Typically, business units own their data and set the data retention policies, while information technology (IT) owns the infrastructure and controls data management Accordingly, business managers are responsible for defining who can touch the data and what they can do with it. IT must implement a technology infrastructure that supports these policies.
2. Promote cross-functional ownership for archiving, retention, and disposal policies. This provides a great indicator of project success because then all groups have a vested interest in a positive outcome. These retention policy definitions can then be saved to a glossary to be leveraged throughout the data lifecycle, providing the proper context and metadata to define, manage, and validate retention policy
3. Plan and practice data retention and orderly disposal. After all stakeholders have signed off on the archiving and data retention policies, IT can develop a plan to implement those Consider solutions that manage enterprise- wide retention policies for both structured and unstructured data, supporting the defensible disposal of unneeded information in addition to the retention of information based on business value, regulatory, or legal obligations. Also, think about solutions that generate notification reports and identify which archives are nearing expiration.

Key Areas of Focus

By focusing in three distinct areas, media, hardware, and personnel, you can ensure that retention is being addressed in a formal manner, aligned with the policies of the enterprise, and meant to ensure confidentiality, integrity, and availability of data as required.

Examples of Data Retention Policies

Some examples of retention policies are as follows:

1. European Document Retention Guide 2013: A Comparative View Across 15 Countries To Help You Better Understand Legal Requirements And Records Management Best Practices (Iron Mountain, January 2013)
2. State of Florida Electronic Records and Records Management Practices, November 2010
3. The Employment Practices Code, Information Commissioner’s Office, UK, November 201
4. Wesleyan University, Information Technology Services Policy Regarding Data Retention for ITS-Owned Systems, September 2013
5. Visteon Corporation, International Data Protection Policy, April 2013
6. Texas State Records Retention Schedule (Revised 4th edition), effective July 4, 2012

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/