FISMA: The Standard for Developing your Data Retention Policy
Your business data is the lifeblood of your organization. Its transmittal governs how you conduct business, its security helps in establishing stakeholder confidence, and its analysis helps lead to process improvements. Yet its retention is something that’s often overlooked, and is definitely an issue that you and your management team should be concerned with. Corporate data storage and retention policies found not to be in line with accepted industry and government standards can be punished by fines, executive accountability, and possible litigation.
Industry and Governmental Expectations
Depending upon the industry in which you operate, there exist a number of established standards regarding the retention of business data. Those policies and their respective data retention standards are listed below:
- Federal Information Security Management Act (FISMA): 3 years
- National Industrial Security Program Operating Manual (NISPOM): 6 – 12 months
- Health Insurance Portability and Accountability Act (HIPAA): 6 years (2 years from time of death)
- National Energy Commission (NERC): 3 years
- Gramm-Leach-Bliley Act of 1999 (GLBA): 6 years
- Basel II: 7 years
- Sarbanes-Oxley Act of 2002 (SOX): 5 years
Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level, yet are also required to submit annual statements for audit.
Developing your own Policy
Whether you’re a federal agency that falls under FISMA or a financial institution that models your policies after GLBA and/or Basel II guidelines, standards experts agree that you should continually assess your data retention policy based upon either the potential for an external audit of that policy, your own internal controls that mandate the deletion of data over time, or your need to expand your archival capacity due to a current overtaxing of your storage infrastructure.
When creating or modifying your data retention requirements, an emphasis should be placed on three specific elements:
- External data retention standards
- Protection from prosecution
- Long-term data management costs
Increased Reliance on SIEM Systems
Increasingly, organizations are turning to security information and event management (SIEM) software programs to handle the archiving of their data. SIEM products typically operate off of at least two servers; one analyzes information recorded in data logs, the other stores them. While there no set standards regarding the structure of SIEM systems, almost all SIEM products are designed with the same purposes in mind: to protect the integrity, confidentiality and availability of business data. Thus, they offer a number of unique benefits over other data storage solutions, such as the ability to support multiple data sources (i.e., operating systems, application servers, and security software), incident tracking and reporting capabilities, and graphical user interfaces designed to specifically query archived data related to a particular problem or issue.
Given the value that your business data has both now and in the future, combined with the potential penalties that you could face for being non-compliant with data retention standards, you really can’t afford not to monitor the long-term storage and safety of it. At the same time, you don’t want to stress the limits of your network infrastructure by continuing to store irrelevant and obsolete information. Fortunately, I.S. Partners, LLC can help you find a happy medium. Our advanced knowledge of both corporate and governmental auditing standards can help you know exactly what sort of data retention requirements apply to you and your organization. We can help to ensure that your data retention policy is both relevant to your industry and effective in protecting you in the event of an external audit.
If your company would like to examine its data retention policies or you would like to receive more information about I.S. Partners, LLC, please call us toll free at (866) 642-2230 or email us at [email protected]