Records Retention and Protection Policy
NIST CSF 2.0 Toolkit: Version 1 ©CertiKit
Records Retention and Protection Policy [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out how organizational records should be protected and their retention rules.
Areas of the framework addressed The following areas of the Cybersecurity Framework are addressed by this document: •
Protect (PR) o Data Security (PR.DS) ▪ PR.DS-03 (PR.DS-09 in draft)
General guidance This area is closely linked with that of asset management and your information asset inventory should come in useful. This document refers to USA and UK legislation, but the overall format may be used to identify the applicable legislation in your country. You may require legal assistance to fully understand which pieces of legislation apply to your organization and their implications for record storage and retention.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Version 1
Page 2 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
Records Retention and Protection Policy
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
CSF-DOC-PRDS-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 12
DATE
[Insert date]
Records Retention and Protection Policy [Insert classification]
Contents 1
Introduction ................................................................................................................ 8
2
Records retention and protection policy ..................................................................... 9 2.1
General principles.......................................................................................................... 9
2.2
Record types and guidelines .......................................................................................... 9
2.3
Use of cryptography .....................................................................................................10
2.4
Media selection ............................................................................................................11
2.5
Record retrieval ............................................................................................................11
2.6
Record destruction .......................................................................................................11
2.7
Record review ..............................................................................................................11
Tables Table 1: Record types and retention periods .................................................................................10
Version 1
Page 7 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
1 Introduction In its everyday business operations [Organization Name] collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records also varies and is subject to the organization’s security classification scheme (see Information Classification Procedure). It is important that these records are protected from loss, destruction, falsification, unauthorized access and unauthorized release and range of controls are used to ensure this, including backups, access control and encryption. [Organization Name] also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records, including those concerned with the protection of personal data. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • • •
Privacy and Personal Data Protection Policy Asset Inventory Information Classification Procedure Information Labelling Procedure Procedure for the Management of Removable Media
Version 1
Page 8 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
2 Records retention and protection policy This policy begins by establishing the main principles that must be adopted when considering record retention and protection. It then sets out the types of records held by [Organization Name] and their general requirements before discussing record protection, destruction and management.
2.1 General principles There are several key general principles that must be adopted when considering record retention and protection policy. These are: • • • •
Records must be held in compliance with all applicable legal, regulatory and contractual requirements, including those related to privacy (for example the EU GDPR) Records must not be held for any longer than required The protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification Records must always remain retrievable in line with business requirements
A summary of the specific requirements of the relevant data protection laws can be found in Legal, Regulatory and Contractual Requirements.
2.2 Record types and guidelines In order to assist with the definition of guidelines for record retention and protection, records held by [Organization Name] are grouped into the categories listed in the table on the following page. For each of these categories, the required or recommended retention period and allowable storage media are also given, together with a reason for the recommendation or requirement. Note that these are guidelines only and there may be specific circumstances where records need to be kept for a longer or shorter period of time. This should be decided on a case-bycase basis as part of the design of the information security elements of new or significantly changed processes and services. Further information about records held by the organization, including their security classifications and owners can be found in Asset Inventory.
Version 1
Page 9 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification] RECORD CATEGORY
DESCRIPTION
RETENTION PERIOD
REASON FOR RETENTION PERIOD
ALLOWABLE STORAGE MEDIA
Accounting
Invoices, purchase orders, accounts and other historical financial records
X years
SOX compliance requirement
Electronic only – paper records must be scanned
Budgeting and Forecasting
Forward-looking financial estimates and plans
X years
SOX compliance requirement
Electronic, paper
System Transaction Logs
Database journals and other logs used for database recovery
X years
Based on backup and recovery strategy
Electronic, tape media
Audit Logs
Security logs, for example records of logon/logoff and permission changes
X years
Maximum period of delay before forensic investigation
Electronic
Operational Procedures
Records associated with the completion of operational procedures
X years
Maximum period of time elapsed regarding dispute
Electronic, paper
Customer
Customer names, addresses, order history, credit card and bank details
X years after last purchase
Data protection requirement
Electronic, paper
Supplier
Supplier names, addresses, company details
X years after end of supply
Maximum period within which dispute might occur
Electronic, paper, microfiche
Human resources
Employee names, addresses, bank details, tax codes, employment history
X years after end of employment
Data protection requirement; Employment law
Electronic, paper
Contractual
Legal contracts, terms and conditions, leases
X years after contract end
Maximum period within which dispute might occur
Electronic, paper
Further categories Table 1: Record types and retention periods
2.3 Use of cryptography Where appropriate to the classification of information and the storage medium, cryptographic techniques may be used to ensure the confidentiality and integrity of records. Care must be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organization’s policy on cryptography (see Cryptographic Policy).
Version 1
Page 10 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification]
2.4 Media selection The choice of long-term storage media must consider the physical characteristics of the medium and the length of time it will be in use. Where records are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such records may be taken by methods such as scanning or microfiche. Regular checks must be made to assess the rate of deterioration of the paper and action taken to preserve the records if required. For records stored on electronic media such as tape, similar precautions must be taken to ensure the longevity of the materials, including correct storage and copying onto more robust media if necessary. The ability to read the contents of the particular tape (or other similar media) format must be maintained by the keeping of a device capable of processing it. If this is impractical an external third party may be employed to convert the media onto an alternative format.
2.5 Record retrieval There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of record storage facilities must ensure that records can be retrieved in a usable format within an acceptable period of time. An appropriate balance should be struck between the cost of storage and the speed of retrieval so that the most likely circumstances are adequately catered for.
2.6 Record destruction Once records have reached the end of their life according to the defined policy, they must be securely destroyed in a manner that ensures that they can no longer be used in line with Procedure for the Management of Removable Media. This procedure allows for the correct recording of the details of disposal which must be retained as evidence.
2.7 Record review The retention and storage of records must be subject to a regular review process carried out under the guidance of management to ensure that: • •
The policy on records retention and protection remains valid Records are being retained according to the policy
Version 1
Page 11 of 12
[Insert date]
Records Retention and Protection Policy [Insert classification] • • •
Records are being securely disposed of when no longer required Legal, regulatory and contractual requirements are being fulfilled Processes for record retrieval are meeting business requirements
The results of these reviews must be recorded.
Version 1
Page 12 of 12
[Insert date]