We are open & providing remote audit and compliance services during this national emergency.
Learn more about our Virtual Auditing Services during Covid 19

New White Paper: “The Complete Guide to Enterprise Risk Management” DOWNLOAD NOW
Listen to: "Standards for Developing your Data Retention Policy"

FISMA: The Standard for Developing your Data Retention Policy

Your business data is the lifeblood of your organization. Its transmittal governs how you conduct business, its security helps in establishing stakeholder confidence, and its analysis helps lead to process improvements. Yet its retention is something that’s often overlooked, and is definitely an issue that you and your management team should be concerned with. Corporate data storage and retention policies found not to be in line with accepted industry and government standards can be punished by fines, executive accountability, and possible litigation.

Industry and Governmental Expectations

Depending upon the industry in which you operate, there exist a number of established standards regarding the retention of business data. Those policies and their respective data retention standards are listed below:

  • Federal Information Security Management Act (FISMA): 3 years
  • National Industrial Security Program Operating Manual (NISPOM): 6 – 12 months
  • Health Insurance Portability and Accountability Act (HIPAA): 6 years (2 years from time of death)
  • National Energy Commission (NERC): 3 years
  • Gramm-Leach-Bliley Act of 1999 (GLBA): 6 years
  • Basel II: 7 years
  • Sarbanes-Oxley Act of 2002 (SOX): 5 years

Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level, yet are also required to submit annual statements for audit.

Developing your own Policy

Whether you’re a federal agency that falls under FISMA or a financial institution that models your policies after GLBA and/or Basel II guidelines, standards experts agree that you should continually assess your data retention policy based upon either the potential for an external audit of that policy, your own internal controls that mandate the deletion of data over time, or your need to expand your archival capacity due to a current overtaxing of your storage infrastructure.

When creating or modifying your data retention requirements, an emphasis should be placed on three specific elements:

  • External data retention standards
  • Protection from prosecution
  • Long-term data management costs

Increased Reliance on SIEM Systems

Increasingly, organizations are turning to security information and event management (SIEM) software programs to handle the archiving of their data. SIEM products typically operate off of at least two servers; one analyzes information recorded in data logs, the other stores them. While there no set standards regarding the structure of SIEM systems, almost all SIEM products are designed with the same purposes in mind: to protect the integrity, confidentiality and availability of business data. Thus, they offer a number of unique benefits over other data storage solutions, such as the ability to support multiple data sources (i.e., operating systems, application servers, and security software), incident tracking and reporting capabilities, and graphical user interfaces designed to specifically query archived data related to a particular problem or issue.

Given the value that your business data has both now and in the future, combined with the potential penalties that you could face for being non-compliant with data retention standards, you really can’t afford not to monitor the long-term storage and safety of it. At the same time, you don’t want to stress the limits of your network infrastructure by continuing to store irrelevant and obsolete information. Fortunately, I.S. Partners, LLC can help you find a happy medium. Our advanced knowledge of both corporate and governmental auditing standards can help you know exactly what sort of data retention requirements apply to you and your organization. We can help to ensure that your data retention policy is both relevant to your industry and effective in protecting you in the event of an external audit.

If your company would like to examine its data retention policies or you would like to receive more information about I.S. Partners, LLC, please call us toll free at (866) 642-2230 or email us at [email protected]

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 642-2230

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal