Data Retention, Retrieval and Secure Disposal Policy




Document Summary


Item

Value

Organization

Information Dynamics

Document Name

Data Retention, Retrieval and Secure Disposal Policy

Classification

Internal

Compliance Reference

ISO 27001:2013, PCI DSS



Document Revision History


Date

Version

Prepared By

1st November 2018

1.1

Information Dynamics

29th Aug, 2019

1.2

Added ISO 27001 Controls reference

26th Aug 2020

1.3

Annual review

26th Aug 2021

1.4

Annual review

28th Aug 2022

1.5

Annual review




Document           Review           History                      


Reviewed By

Version

Date

Signature

Soundar

1.2

30th December 2019


Soundar

1.3

28th August 2020


Soundar

1.4

28th August 2021


Soundar

1.5

28th August 2022



  1. Purpose


    The purpose of the policy is to set a clear path for data retention in ID and securely disposing the same.


    ISO 27001:2013 Reference

    7.5.3 (f)

    Retention and Disposition

    A.8.3.2

    Disposal of Media

    A.11.2.7

    Secure disposal or reuse of equipment


  2. Scope


    The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.


  3. Policy


    The entire Information Dynamics records, either physical or digital, are subject to the retention requirements based on business, legal and regulatory requirements. The Information Dynamics requires that all removable storage media (CDs, tapes, memory sticks, hard drives, etc) are clean (which means: it is not possible to read or re-constitute the information that was stored on the device or document) prior to disposal specifically:


    1. No storage of Magnetic stripe data, CVV, CID, CAV2, CVV2, CVC2 and PIN to be stored under any circumstances.


    2. Each data item that is stored should be marked with the name of the record, the record type, the original owner of the data, the information classification, the required retention period, and any special information (eg in relation to cryptographic keys).


    3. The required retention periods, by record type, should be in compliance with business, legal and regulatory requirements. The records both physical and electronic should have secure remote offsite backups.


    4. The offsite records both physical and digital should be retrieved and reviewed at least annually or based on the criticality of the information of the records.


    5. All records (physical and digital) moving to and fro the facility to offsite locations has to be logged and inventory managed both at the primary and offsite locations. A periodic inventory check must be done at offsite to find if there exist any irregularities in the logging mechanism.


    6. Data should be disposed as soon as the specified retention period completes it retention period.


    7. If sensitive authentication data (CVV, PIN, magnetic stripe data, track data etc.) is being received, then the data should not be stored and be deleted in a secure manner which makes the data unrecoverable.


    8. Cryptographic keys, which are required for sensitive transaction data should be retained as set out as in Credit Card Data Encryption & Key Management Policy


    9. Devices containing confidential information are dependent on a risk assessment physically destroyed prior to disposal and are never to be re-used.


    10. Devices containing confidential information that are damaged are subject to a risk assessment prior to sending for repair, to establish whether they should be repaired or replaced.


    11. Documents, CDs, etc containing confidential and restricted information which are to be destroyed are shredded by their owners, using a cross cut shredder. These shredders are located in the secure area and the containers are under lock and key.


    12. Portable or removable storage media of any description are physically destroyed prior to disposal.


    13. The data owner along with support from the custodian is responsible for destroying data once it has reached the end of the retention period. Destruction must be completed within 30 days of the planned retention period. Destruction is handled as follows:


      • Papers to be shredded.

      • CDs to be shredded.

      • Backup tapes to be burnt.

      • Sensitive data to be deleted through a program.


    14. The TSG Team is responsible for the retention and secure disposal of storage media and the disposal of all information processing equipment is routed through his office.


  4. Associated Documentation: