This chapter is from the book
This chapter is from the book
This chapter is from the book
Asset Retention
Asset and data retention requirements vary based on several factors, including asset or data type, asset or data age, and legal and regulatory requirements. Security professionals must understand where data is stored and the type of data stored. In addition, security professionals should provide guidance on managing and archiving data. Therefore, data retention policies must be established with the help of organizational personnel. The assets that store data will use the data retention policies to help guide the asset retention guidelines. If a storage asset needs to be replaced, a thorough understanding of the data that resides on the asset is essential to ensure that data is still retained for the required period.
A retention policy usually contains the purpose of the policy, the portion of the organization affected by the policy, any exclusions to the policy, the personnel responsible for overseeing the policy, the personnel responsible for data, the data types covered by the policy, and the retention schedule. Security professionals should work with data owners to develop the appropriate data retention policy for each type of data the organization owns. Examples of data types include, but are not limited to, human resources data, accounts payable/receivable data, sales data, customer data, and email.
Security professionals should ensure that asset retention policies also are created and enforced. While asset retention policies are often governed by the data retention policies, organizations may find it necessary to replace physical assets while needing to retain the data stored on the asset. Security professionals should ensure that the data residing on an asset that will be retired is fully documented and properly retained as detailed by the data retention policy. Doing so will usually require that the data is moved to another asset. For example, suppose an organization stores all the PII data it retains on a SQL server located on the organization’s demilitarized zone (DMZ). If the organization decides to replace the SQL server with a new Windows Server computer, it will be necessary to back up the PII from the old server and restore it to the new server. In addition, the organization may want to retain the backup of the PII and store it in a safe or other secured location, in case the organization should ever need it. Then the organization must ensure that the PII cannot be retrieved from the hard drive on the old server. Doing so may require physical destruction of the hard drive.
To design asset and data retention policies, the organization should answer the following questions:
What are the legal/regulatory requirements and business needs for the assets/data?
What are the types of assets/data?
What are the retention periods and destruction needs for the assets/data?
The personnel who are most familiar with each asset and data type should work with security professionals to determine the asset and data retention policies. For example, human resources personnel should help design the data retention policies for all human resources assets and data. While designing asset and data retention policies, an organization must consider the media and hardware that will be used to retain the data. Then, with this information in hand, the organization and/or business unit should draft and formally adopt the asset and data retention policies.
As part of asset retention, security professionals need to understand two terms: end of life (EOL) and end of support (EOS). These terms apply to any software or hardware asset. EOL is the date when a vendor stops offering a product for sale. However, the product is still supported (such as warranties, updates, and repairs) by the vendor, at least for a while. This support usually includes deploying security updates for the product. EOS, also referred to as end-of-service life (EOSL), is the date when all vendor support ends. Organizations sometimes retain legacy hardware to access older data, such as data on tape drives. Legacy applications can also be retained if the application provides a particular function and a replacement application has not been selected. If legacy hardware or applications need to be retained, security professionals should take measures to ensure that they are deployed in a manner that prevents remote access, including deploying them on an isolated network.
After the asset and data retention policies have been created, personnel must be trained to comply with these policies. Auditing and monitoring should be configured to ensure data retention policy compliance. Periodically, data owners and processors should review the data retention policies to determine whether any changes need to be made. All data retention policies, implementation plans, training, and auditing should be fully documented. In addition, IT support staff should work to ensure that the assets on which the data is stored are kept up to date with the latest security patches and updates.
Remember that it is not possible to find a one-size-fits-all solution for all organizations because of the different types of information, assets, or data. Only those most familiar with each asset or data type can determine the best retention policy for that asset or data. Although a security professional should be involved in the design of the retention policies, the security professional is there to ensure that security is always considered and that retention policies satisfy organizational needs. The security professional should act only in an advisory role and should provide expertise when needed.