DATA-16 Data Retention

What is DATA-16 data retention control?

Data retention control refers to the the storage of data for a specified period. A policy must be documented to define how the organization saves data for compliance and regulatory purposes.

Available tools in the marketplace

Tools

No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• Data Retention policy template from SANS Institute (SysAdmin, Audit, Network and Security)

Control implementation

To implement this control,

1. Document a process that describes the type of data and retention period
2. Implement configuration settings to enforce the documented retention period on your systems.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the most recent data retention process
2. Provide a screenshot of the configuration settings demonstrating the retention period

Evidence example

For the suggested action, an example is provided below:

1. Provide the most recent data retention process.
   The following screenshot shows the data type, retention, and disposal processes.
   
2. Provide a screenshot of the configuration settings demonstrating the retention period.
   The following screenshot shows the retention period.
   Google search