What is universal is the need to ensure your organization has and follows a documented data retention policy.
When outsourcing data storage, it is important to specify in the contract language how long the storage provider will retain your data after you stop doing business with them and what process they will use to eradicate your data from their systems.
A very straightforward and perhaps tempting approach would be to look at the lengthiest legal or regulatory retention requirement imposed on your organization and then apply that timeframe to all your data retention. The problem with this approach is that it will probably make your retained data set orders of magnitude greater than it needs to be.
A better approach is to segregate the specific data sets that have mandated retention requirements and handle those accordingly. Everything else should have a retention period that minimally satisfies the business requirements.
Developing a Retention Policy
At its core, every data retention policy answers three fundamental questions:
- What data do we keep?
- How long do we keep this data?
- Where do we keep this data?
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:2.4 保留策略