FISMA: The Standard for Developing your Data Retention Policy

Your business data is the lifeblood of your organization. Its transmittal governs how you conduct business, its security helps in establishing stakeholder confidence, and its analysis helps lead to process improvements. Yet its retention is something that’s often overlooked, and is definitely an issue that you and your management team should be concerned with. Corporate data storage and retention policies found not to be in line with accepted industry and government standards can be punished by fines, executive accountability, and possible litigation.

Industry and Governmental Expectations

Depending upon the industry in which you operate, there exist a number of established standards regarding the retention of business data. Those policies and their respective data retention standards are listed below:

  • Federal Information Security Management Act (FISMA): 3 years
  • National Industrial Security Program Operating Manual (NISPOM): 6 – 12 months
  • Health Insurance Portability and Accountability Act (HIPAA): 6 years (2 years from time of death)
  • National Energy Commission (NERC): 3 years
  • Gramm-Leach-Bliley Act of 1999 (GLBA): 6 years
  • Basel II: 7 years
  • Sarbanes-Oxley Act of 2002 (SOX): 5 years

Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level, yet are also required to submit annual statements for audit.

Developing your own Policy

Whether you’re a federal agency that falls under FISMA or a financial institution that models your policies after GLBA and/or Basel II guidelines, standards experts agree that you should continually assess your data retention policy based upon either the potential for an external audit of that policy, your own internal controls that mandate the deletion of data over time, or your need to expand your archival capacity due to a current overtaxing of your storage infrastructure.

When creating or modifying your data retention requirements, an emphasis should be placed on three specific elements:

  • External data retention standards
  • Protection from prosecution
  • Long-term data management costs

Increased Reliance on SIEM Systems

Increasingly, organizations are turning to security information and event management (SIEM) software programs to handle the archiving of their data. SIEM products typically operate off of at least two servers; one analyzes information recorded in data logs, the other stores them. While there no set standards regarding the structure of SIEM systems, almost all SIEM products are designed with the same purposes in mind: to protect the integrity, confidentiality and availability of business data. Thus, they offer a number of unique benefits over other data storage solutions, such as the ability to support multiple data sources (i.e., operating systems, application servers, and security software), incident tracking and reporting capabilities, and graphical user interfaces designed to specifically query archived data related to a particular problem or issue.

Given the value that your business data has both now and in the future, combined with the potential penalties that you could face for being non-compliant with data retention standards, you really can’t afford not to monitor the long-term storage and safety of it. At the same time, you don’t want to stress the limits of your network infrastructure by continuing to store irrelevant and obsolete information. Fortunately, I.S. Partners, LLC can help you find a happy medium. Our advanced knowledge of both corporate and governmental auditing standards can help you know exactly what sort of data retention requirements apply to you and your organization. We can help to ensure that your data retention policy is both relevant to your industry and effective in protecting you in the event of an external audit.

If your company would like to examine its data retention policies or you would like to receive more information about I.S. Partners, LLC, please call us toll free at (866) 642-2230 or email us at [email protected]

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (ACTIVE)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.