2 cissp ® Official Study Guide Eighth Edition

Ensuring Appropriate Asset Retention

Download 19,3 Mb.

Pdf ko'rish

bet	177/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 173 174 175 176 177 178 179 180 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Ensuring Appropriate Asset Retention
Retention requirements apply to data or records, media holding sensitive data, systems that
process sensitive data, and personnel who have access to sensitive data. Record retention and
media retention is the most important element of asset retention.
Record retention
involves retaining and maintaining important information as long as it
is needed and destroying it when it is no longer needed. An organization’s security policy or
data policy typically identifi es retention timeframes. Some laws and regulations dictate the
length of time that an organization should retain data, such as three years, seven years, or
even indefi nitely. Organizations have the responsibility of identifying laws and regulations
that apply and complying with them. However, even in the absence of external require-
ments, an organization should still identify how long to retain data.
As an example, many organizations require the retention of all audit logs for a spe-
cifi c amount of time. The time period can be dictated by laws, regulations, requirements
related to partnerships with other organizations, or internal management decisions. These
audit logs allow the organization to reconstruct the details of past security incidents.
When an organization doesn’t have a retention policy, administrators may delete valuable
data earlier than management expects them to or attempt to keep data indefi nitely. The
longer data is retained, the more it costs in terms of media, locations to store it, and per-
sonnel to protect it.
Most hardware is on a refresh cycle, where it is replaced every three to fi ve years.
Hardware retention primarily refers to retaining it until it has been properly sanitized.
Personnel retention in this context refers to the knowledge that personnel gain while
employed by an organization. It’s common for organizations to include nondisclosure
agreements (NDAs) when hiring new personnel. These NDAs prevent employees from leav-
ing the job and sharing proprietary data with others.

176
Chapter 5
■
Protecting Security of Assets
retention Policies Can reduce liabilities
Saving data longer than necessary also presents unnecessary legal issues. As an exam-
ple, aircraft manufacturer Boeing was once the target of a class action lawsuit. Attorneys
for the claimants learned that Boeing had a warehouse filled with 14,000 email backup
tapes and demanded the relevant tapes. Not all of the tapes were relevant to the lawsuit,
but Boeing had to first restore the 14,000 tapes and examine the content before they
could turn them over. Boeing ended up settling the lawsuit for $92.5 million, and analysts
speculated that there would have been a different outcome if those 14,000 tapes hadn’t
existed.
The Boeing example is an extreme example, but it’s not the only one. These events have
prompted many companies to implement aggressive email retention policies. It is not
uncommon for an email policy to require the deletion of all emails older than six months.
These policies are often implemented using automated tools that search for old emails
and delete them without any user or administrator intervention.
A company cannot legally delete potential evidence after a lawsuit is filed. However, if a
retention policy dictates deleting data after a specific amount of time, it is legal to delete
this data before any lawsuits have been filed. Not only does this practice prevent wast-
ing resources to store unneeded data, it also provides an added layer of legal protection
against wasting resources by looking through old, irrelevant information.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 173 174 175 176 177 178 179 180 ... 881