Written by AIJanuary 21, 2024
Data Retention and Destruction Policy
IT Policy Article
-
Table of Contents
EDC Inc Data Retention and Destruction Policy
This policy outlines the principles and guidelines for the retention and destruction of data at EDC Inc. It is designed to ensure that necessary records and documents are adequately protected and maintained and to ensure that records that are no longer needed by EDC Inc or are of no value are discarded at the appropriate time.
Scope
This policy applies to all physical and electronic data generated by or for EDC Inc. This includes data stored on our servers, user and service accounts in Active Directory, and inventory data in the CMDB tool.
Policy
Data Retention
EDC Inc will retain data for the period of its immediate or current use, unless longer retention is necessary for historical reference, contractual, legal or regulatory requirements. For each item of data, the following retention parameters must be observed:
- Active Directory User and Service Account Data: Retained for the duration of the user or service account’s active status.
- CMDB Inventory Data: Retained for the duration of the asset’s lifecycle and an additional 7 years after disposal or decommissioning.
- Server Data: Retained for the duration of the server’s lifecycle and an additional 7 years after decommissioning.
Data Destruction
When the data retention period expires, EDC Inc will destroy the data in a manner that prevents its recovery. The method of destruction will be appropriate to the sensitivity of the data and in accordance with all relevant legal and regulatory requirements.
Roles and Responsibilities
The following departments are responsible for the implementation of this policy:
- IT Server Operations: Responsible for the retention and destruction of server data, including OS patching every 30 days unless an “IT Exception” is approved by IT Security.
- IT Server Build Operations: Responsible for the retention and destruction of data related to server builds.
- IT-SOC (Incident management): Responsible for the retention and destruction of incident data.
- Corporate Physical Security: Responsible for the physical security of data storage facilities.
- IT Security Operations: Responsible for approving “IT Exceptions” to the OS patching schedule.
- IT Monitoring Operations: Responsible for the retention and destruction of monitoring data.
- IT Database Operations: Responsible for the retention and destruction of database data.
- IT Audit and Compliance: Responsible for ensuring compliance with this policy and all relevant legal and regulatory requirements.
Policy Violations
Any violation of this policy by an EDC Inc employee will be considered a serious offense and may result in disciplinary action, up to and including termination of employment. Any violation of this policy by a third-party contractor may result in the termination of their contract with EDC Inc.
Policy Review
This policy will be reviewed at least annually by the IT Audit and Compliance department, or more frequently if necessary due to changes in legal or regulatory requirements. Any proposed changes to this policy must be approved by the CAB (Change Audit Board).
Summary
The EDC Inc Data Retention and Destruction Policy is a critical component of our overall data management strategy. It ensures that we retain data for as long as it is needed and no longer, and that we destroy data in a secure and legally compliant manner when it is no longer needed. This policy is enforced by several departments within EDC Inc, each with their own specific roles and responsibilities. Violations of this policy are taken seriously and may result in disciplinary action or termination of contracts.
You may also like
Archives
Calendar
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
Leave a Reply