Your business data is the lifeblood of your organization. Its transmittal governs how you conduct business, its security helps in establishing stakeholder confidence, and its analysis helps lead to process improvements. Yet data retention is something that’s often overlooked.
Corporate data storage and retention policies found not to be in line with accepted auditing standards and regulatory requirements can be punished by fines, executive accountability, and possible litigation.
Data Retention Regulations
Depending upon the industry in which you operate, there are a number of established standards regarding the retention of business data. Those policies and their respective data retention standards are listed below.
FISMA Data Retention Requirements – 3 Years
NIST SP 800-53 outlines the requirements contractors and federal agencies need to meet for Federal Information Security Management Act (FISMA). It requires data retention for a minimum of three years.
NERC Data Retention Requirements – 3 to 6 Years
In 2011, the Compliance Monitoring and Enforcement Program (CMEP) clarified National Energy Commission (NERC) Rules of Procedure related to data retention requirements. It instructs entities keep data needed to demonstrate compliance with NERC Reliability Standards for an entire compliance verification period. Meaning that they must retain the current, in-force version of a policy, plan procedure, or other document for the entire three to six-year auditing period.
Basel II Data Retention Requirements – 3 to 7 Years
The Basel II Capital Accord requires banks to have Business Continuity and Disaster Recovery plans. Plus, it requires them to retain 3-7 years of data history.
SOX Retention Requirements – 7 Years
Sarbanes-Oxley Act of 2002 (SOX) was modified in 2003 to require relevant auditing and review documents to be retained for seven years after the audit or review of the financial statements is concluded.
HIPAA Data Retention Requirements – 6 Years
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entitles to keep HIPAA-related documents for a minimum of 6 years from when the document was created. In the case of policies, the time requirement is six years from the date it was last in effect. This applies to “policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment,” CFR §164.316(b)(1) and (2) and include HIPAA audit logs.
The Privacy Rule doesn’t specifically stipulate how long medical records should be retained. Covered entities and BAs must refer to their state laws governing the retention of medical records.
NISPOM Data Retention Requirements – 6 to 12 Months
According to the National Industrial Security Program Operating Manual (NISPOM) contractors should return data upon completion of the contract unless the material has been declassified. At maximum, classified material received or generated under a contract can be retain for 2 years unless directed otherwise. Classified information no longer needed should be processed for disposal.
PCI Data Retention Requirements – Variable
Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level, yet are also required to submit annual statements for audit.
it provides some best practices regrading email archiving. Archiving practices are an important measure in fully complying with FISMA regulations.
How to Create a Data Retention Policy
Whether you’re a federal agency that falls under FISMA or a financial institution that models your policies after GLBA and/or Basel II guidelines, standards experts agree that you should continually assess your data retention policy. Review should consider the potential for an external audit of that policy, internal controls that mandate the deletion of data over time, and your need to expand your archival capacity and storage infrastructure.
When creating or modifying your data retention requirements, an emphasis should be placed on three specific elements:
- External data retention standards,
- Protection from prosecution, and
- Long-term data management costs.
Get more advice: 5 Key Steps to Developing a Solid Data Retention Policy.
Data Retention Best Practices
Increasingly, organizations are turning to security information and event management (SIEM) software programs to handle the archiving of their data. SIEM products typically operate on at least two servers; one analyzes information recorded in data logs, the other stores it.
While there no set standards regarding the structure of SIEM systems, almost all SIEM products are designed with the same purposes in mind: to protect the integrity, confidentiality and availability of business data. Thus, they offer a number of unique benefits over other data storage solutions. Advantages include the ability to support multiple data sources (i.e., operating systems, application servers, and security software), incident tracking and reporting capabilities, and graphical user interfaces designed to specifically query archived data related to a particular problem or issue.
Given the value that your business data has both now, and in the future, combined with the potential penalties for non-compliance with data retention standards, you really can’t afford not to monitor long-term storage. At the same time, you don’t want to stress the limits of your network infrastructure by continuing to store irrelevant and obsolete information.
Professional Guidance Is Available
I.S. Partners, LLC can help your company to find a happy medium. Our advanced knowledge of both corporate and governmental auditing standards can assist in identifying the data retention requirements that apply to your organization. We ensure that your data retention policy is both relevant to your industry and effective for successful external audits. Contact our team to learn more.