- Introduction
- Basic Security Principles
- Data Management: Determining and Maintaining Ownership
- Data Governance Policies
- Roles and Responsibilities
- Data Ownership
- Data Custodians
- Data Documentation and Organization
- Data Warehousing
- Data Mining
- Knowledge Management
- Data Standards
- Data Lifecycle Control
- Data Audits
- Data Storage and Archiving
- Data Security, Protection, Sharing, and Dissemination
- Privacy Impact Assessment
- Information Handling Requirements
- Record Retention and Destruction
- Data Remanence and Decommissioning
- Classifying Information and Supporting Asset Classification
This chapter is from the book
This chapter is from the book
This chapter is from the book
Record Retention and Destruction
All data has a lifetime. Eventually data should either be purged, released, or unclassified. Record retention involves maintaining important information as long as it is needed and destroying or declassifying it when it isn’t needed.
Some record retention guidelines are legally mandated by governments. For example, companies typically cannot legally delete potential evidence after a lawsuit is filed and must maintain these assets and records until the court case has concluded. In addition, the JFK Records Act was a record retention act put in place to eventually declassify all records dealing with the assassination of President John F. Kennedy and make these records public by 2018.
The steps in creating a record retention policy include the following:
Understand the business needs and any existing regulatory requirements.
Classify assets or records.
Create retention periods and specify data destruction methods.
Develop the policy and determine the impact should the policy not be followed.
Conduct training, education, and awareness about the policy.
Audit the policy and procedures.
Review the policy and procedures regularly.
Record the implementation and audit results.