Data Retention Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've talked about one of
00:00
the more important steps of
00:00
the data life cycle is archiving data.
00:00
One of the key tools that's going to drive how
00:00
archiving data is done at
00:00
your organization is the data retention policy.
00:00
Now you might be thinking, oh, the policy.
00:00
But I'm hoping by the end of this module,
00:00
you will think, wow,
00:00
policy is a very exciting thing.
00:00
In this lesson, we're going to talk
00:00
>> about the importance
00:00
>> of the data retention policy,
00:00
components of effective retention policy,
00:00
and where the retention policy
00:00
fits into the data life cycle.
00:00
The data retention policy.
00:00
At a high level, although policy sometimes can have
00:00
connotations with things that
00:00
are a little boring or a little dry,
00:00
I want you to really think of the retention policy
00:00
as your organization's retention strategy.
00:00
Because this policy is really
00:00
the governance level control that's going to drive how
00:00
data is retained in a way
00:00
that reduces your organization's operational costs,
00:00
ensures that the data is properly protected,
00:00
and that your company doesn't assume
00:00
too much risk by keeping data longer than it should.
00:00
That brings us to our first point here
00:00
that the data retention policy should really lay out
00:00
the retention period for your different types of
00:00
data based on the classifications
00:00
that your organization has established.
00:00
The retention period may be driven by regulations
00:00
or it may be determined
00:00
internally within your organization
00:00
that you had to decide,
00:00
well, how long does this data truly have value?
00:00
Data that's used more and more for predictive purposes,
00:00
it can go stale fairly quickly.
00:00
The trends that you find from data
00:00
that maybe even one or two years old is not
00:00
all that relevant to how you can figure things
00:00
out or derive insights to improve your business today.
00:00
So should it be kept around?
00:00
Potentially not based on what you
00:00
can figure out from the business case.
00:00
To figure out the retention format,
00:00
when data is going into the archives state,
00:00
what should the format be and where
00:00
should it be stored in your Cloud architecture?
00:00
This also connects to the data classification.
00:00
Based on the classification of that format,
00:00
how should the data be stored?
00:00
If it has more valuable information,
00:00
is there a different retention storage location,
00:00
or way that it should be stored.
00:00
That's always important to think about.
00:00
Then if this data has been archived,
00:00
one of for legal reasons or regulatory reasons,
00:00
you need to retrieve that information,
00:00
you have to define
00:00
the retrieval procedures that come from the policy.
00:00
But stating the need for that in
00:00
the policies and the central means of
00:00
enforcing the need for retrieval procedures.
00:00
Then once that data has reached its required retention
00:00
period, we no longer need it, first we delete it.
00:00
What are the mechanisms to
00:00
properly delete and get rid of data?
00:00
Proper deletion of data is really tied
00:00
to reducing the legal risks.
00:00
If that data is retained longer than it
00:00
needs to be and it opens up to
00:00
your organization to potential legal risks that come
00:00
from litigation related to that data.
00:00
But if you only keep it as
00:00
long as you need it and get rid of it,
00:00
you could eventually be
00:00
a control use to mitigate those potential legal risks.
00:00
Then obviously, how do we
00:00
monitor how will data is and maintain and enforce
00:00
the protections against how long it's supposed to be
00:00
maintained and ensure that data
00:00
that is old is getting deleted.
00:00
These are all considerations in
00:00
the data retention policy.
00:00
Now let's reflect.
00:00
When was the last time you read your
00:00
organization's data retention policy?
00:00
Remember, I want you to think of it as strategy.
00:00
This is really the document that lays out the strategy
00:00
for how your organization manages its data life cycle,
00:00
how that information is protected,
00:00
and how it is effectively
00:00
archived based on your policy and how it's deleted.
00:00
How you can really be a steward
00:00
of effective data protection and governance is
00:00
by reading this policy and knowing what's
00:00
your strategy and what's my role in implementing it.
00:00
Then, how can an effective data retention policy
00:00
enhance security analytics and risk management?
00:00
Well, we talked about how by
00:00
knowing the data's classification,
00:00
we should ensure that it's
00:00
archived in the appropriate way.
00:00
By knowing how old data is,
00:00
we can know whether it really is relevant anymore from
00:00
an analytical perspective and get rid
00:00
of data that really is stale.
00:00
It doesn't really offer any analytical value.
00:00
Some organizations, we want to
00:00
keep this data and keep this data.
00:00
We're thinking that there's going to be insights,
00:00
but I think by talking
00:00
the subject matter experts and
00:00
analytics within your organization,
00:00
you can get a better understanding of how
00:00
long certain data needs to stay around.
00:00
Then from a risk manager perspective, we talked
00:00
about how data should really only be kept on as
00:00
long as it has a business use
00:00
or there's a legal requirement.
00:00
Any longer than that,
00:00
opens up the organization to
00:00
potential legal risks when it comes to litigation.
00:00
In summary, we talked about the importance of
00:00
effective data retention policy,
00:00
we talked about the considerations for
00:00
implementing data retention standards and policies,
00:00
and we talked about how we should think about
00:00
business value when it comes to managing
00:00
>> data retention.
00:00
>> I hope you're excited to read
00:00
your organization's data retention policy
00:00
and I'll see you in the next lesson.
Up Next