| |
|DATA RETENTION POLICY |
|Revision 2.0 |
| |
| |
| |

| |

Table of Contents

1.0 Overview: Page 3

2.0 Purpose: Page 3

3.0 Scope: Page 4

4.0 Document Covered by this Policy Page 4

5.0 Acceptable Use Policy: Page 4

6.0 Definitions: Page 4

7.0 Data Storage: Page 6

8.0 Responsibility: Page 6

9.0 Data Backed Up: Page 7

10.0 Archives: Page 7

11.0 Restoration: Page 7

12.0 Data Storage Locations: Page 7

13.0 Violations and Penalties Page 7

14.0 Acknowledgment of Data Retention Policy Page 8

Appendix – A (References) Page 9

DATA RETENTION POLICY

1. Overview:
The company is subject to data retention requirements resulting from a mix of legal, industry, business and government mandates. These data retention requirements govern the storage of the company’s information, records and data. Regulations dictate that different data types be stored for specific periods; regulations may also dictate the media storage format that must be used to store specific data types.

This policy defines the backup/retention policy for electronic data within the company. These systems are typically servers but are not necessarily limited to servers.

2. Purpose:
The companies Data Retention Policy exists to ensure all company information, records and data are retained and stored in compliance with legal, industry, business and government regulations. Data covered by this policy includes but is not limited to:

• Electronic communications • Business, client, agent and supplier correspondence • Documents • Spreadsheets • Databases • Customer records • Employee records • Supplier and partner information • Transactional data • Contracts • Sales, invoice and billing information • Accounting, banking, finance, earnings and tax data • Health care, medical and patient information • Student and educational data • Other data produced and collected in fulfilling business activities

This policy provides for data retention of all company and Department of Defense (DoD) data to comply with federal and state laws and regulations. Data will be retained in accordance with DoD STD 5015.2, and any document it references. Data retention is to ensure the continuity of business practices until authorized to dispose of or destroy data in accordance with the destruction policies and procedures. (See Appendix A)

NOTE: In the event that a court marshal, claim or administrative charge has been filed - or there exists a reasonable belief that a court marshal, claim or charge will be filed - all relevant records, including e-mails, must be preserved and safeguarded until the litigation or proceeding has terminated and the time for all appeals has expired. With rare exception, all such documents may be subject to discovery in litigation and the destruction of such records potentially subjects the DoD and the individuals who take such action to court-ordered sanctions.

3.0 Scope:
Every officer, manager, employee, contractor, temporary worker, authorized agent and volunteer is subject to the terms of the company’s Data Retention Policy. This policy applies to all equipment and data owned and operated by the company. Including any third party owned, company leased equipment.

4.0 Documents Covered by Policy
Records, documents, email and correspondence of all kinds must be managed according to the procedures outlined in this document. This policy applies to data in any form (paper or electronic) however or by whomever created that belong to the company, or were created by military personal and non-military personal, as part of their work for the DoD as part of their service to the DoD and are classified as DoD Protected or DoD Sensitive data as defined in DoD Data Classification Policy and Procedure.

5.0 Acceptable Use:
All company employees and representatives are responsible for ensuring all company data is retained and stored according to applicable local, state and federal laws, business standards and industry regulations. The following guidelines should be used to help determine the appropriate retention periods (although specific state and federal laws and business and industry regulations may require retaining data longer):

• Employee data is to be kept a minimum of three years. • Payroll data is to be kept a minimum of three years. • Medical and patient information is to be kept a minimum of six years. • Business data is to be kept a minimum of seven years; in many cases electronic communications, business correspondence and other business records are to be retained permanently. • Tax records are to be kept permanently. • Contracts are to be kept the life of their term and renewal, as well as an additional period equal to any applicable statutes of limitations governing any potential claims arising under the contracts.

Company data shall be stored using the following formats:

• All company records, information and data are to be securely stored on readily accessible online media (disk-based systems that remain available at all times, such as IDE, SATA, SCSI or Fibre Channel arrays) for two years following creation. • Health care, medical and patient records must be securely archived a minimum of six years on readily accessible online media or WORM tape. • Using readily accessible online media or WORM tape, most student and education data must be securely stored a minimum of two years following the student’s enrollment; student acceptance and loan records must be securely stored a minimum of five years; official transcripts are to be securely archived permanently. • Other archived data must be securely stored on non-rewritable, non-erasable media (such as optical media, WORM tape or WORM magnetic disks) for a minimum of six years or longer (publicly traded companys and those firms that audit publicly traded companys must keep archived data on such media a minimum of seven years).

Whenever doubt arises as to the retention requirements affecting specific data, the data should be securely archived (for the first two years on readily accessible online media; after two years such data should be transferred to optical media, WORM tape or WORM magnetic disk). All company representatives are responsible for ensuring all company data is updated and maintained properly; all company representatives are responsible for keeping current all business information they access and maintain in fulfilling their job responsibilities.

No company officer, manager, employee, contractor, temporary worker, authorized agent, volunteer or other representative may delete any information, records or data in violation of local, state or federal laws or business and industry regulations. Only the company’s authorized representatives may delete company information, records and data upon the conclusion of the data’s proper and lawful lifecycle. Upon deletion, care must be taken to ensure data is adequately destroyed (as opposed to simply deleted in a manner that enables data recovery). The Information Technology department manager must approve the destruction of data on all disks, cellular telephones, personal digital assistants, computers, PCs, servers and systems, and verify that all company data have been properly destroyed, prior to discarding, donating or otherwise decommissioning company equipment.

All company information, records and data are subject to storage restrictions imposed by the Health Insurance Portability and Accounting Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002, and Securities and Exchange Commission rules 17a-3 and 17a-4 as well as all other data management and retention restrictions resulting from local, state, federal and international laws and business and industry regulations.

All information and data retained must be processed in accordance with the rules and regulations governing its use. Refer to the company’s separate Data Protection Policy for detailed information restricting the use of company data, which governs that, among other restrictions, under no circumstances may any company representative share, pass, provide, copy, print, duplicate, transmit, store, archive or otherwise provide the company’s information, data and records to unauthorized parties.

6.0 Definitions: 1. Backup - The saving of files onto magnetic tape or other offline mass storage media for the purpose of preventing loss of data in the event of equipment failure or destruction. 2. Archive - The saving of old or unused files onto magnetic tape or other offline mass storage media for the purpose of releasing on-line storage room. 3. Restore - The process of bringing off line storage data back from the offline media and putting it on an online storage system such as a file server. 4. Computer – Any and all electronic devices capable of, receiving, storing, transmitting, updating electronic data or documents. Including, but not limited to: a. Laptops b. Servers c. PDA (Iphone, Blackberry or Android) d. Tablets e. USB drive

5. Company – the company, Data Systems LLC.

7.0 Data Storage:
There shall be a separate or set of back up data files for each backup day including Monday, Tuesday, Wednesday, and Thursday. There shall be a separate or set of back up data files for each Friday of the month such as Friday1, Friday2, etc. Backup files will be retained for one month. Monthly backups will be retained for one year. Annual backups will be retained as prescribed in DoD 5015.2, DoD Records Management Program, June 2002.

8.0 Responsibility:
The IT department manager shall delegate a member of the IT department to perform regular backups. The delegated person shall develop a procedure for testing backups and test the ability to restore data from backups on a monthly basis.

9.0 Data Backed Up:
Data to be backed up include the following information: 1. User data stored on the hard drive. a. Each user will save all data to their network drive; it will not be backed up if not saved to the network drive. 2. System state data 3. The registry
Systems to be backed up include but are not limited to: 1. File servers 2. Mail servers 3. Production web servers 4. Production database servers 5. Domain controllers 6. Test database/web servers

10.0 Archives:
Archives are made at the end of every year in December. User account data associated with the file and mail servers are archived one month after they have left the company.

11.0 Restoration:
Users that need files restored must submit a request to the help desk. Include information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed.

12.0 Data Storage Locations:
Offline files used for nightly backup shall be stored in an adjacent building in a fireproof safe. Monthly files shall be stored across town in our other facility in a fireproof safe. This policy may contain descriptions about how various systems and types of systems are backed up such as Windows or UNIX systems.

13.0 Violations and Penalties
All officers, managers, employees, contractors, temporary workers, authorized agents and volunteers are subject to the terms of the organization’s Data Retention Policy. Any violation of the Data Retention Policy must be immediately reported to the Information Technology department manager.

Violating the Data Retention Policy, or any of its tenets, could result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under local, state and federal laws.

Acknowledgment of Data Retention Policy
This form is used to acknowledge receipt of, and compliance with, the company’s Data Retention Policy.

Procedure
Complete the following steps:

1. Read the Data Retention Policy. 2. Sign and date in the spaces provided below. 3. Return a copy of this signed document to the Information Technology department manager.

Signature
Your signature attests that you agree to the following terms:

a) I have received and read a copy of the “Data Retention Policy” and understand and agree to the same; b) I understand and agree that I will properly retain all organization data, records and information on the appropriate media; c) I understand that all organization data remains the property of the organization; d) I understand I am not to modify, alter, or delete any data in violation of local, state and federal laws and business and industry regulations; e) I understand that I shall maintain data accuracy to the best of my ability while fulfilling my lawful job responsibilities.

______________________________________
Employee Signature

______________________________________
Employee Name

______________________________________
Employee Title

______________________________________
Date

______________________________________
Department/Location

Disclaimer: This policy is not a substitute for legal advice. If you have legal questions related to this policy, see your lawyer.
Appendix A (References)

FIPS 199: Standards for Security Categorization of Federal Information and Information Systems, February 2004

FIPS 200: Minimum Security Requirements for Federal Information and Information Systems. March 2006

NIST SP 800-37; Guide for applying the Risk Management Framework to Federal Information Systems, February 2010

NIST SP 800-53; Recommended Security Controls for Federal Information Systems and Companys, August 2009 AU-11 AUDIT RECORD RETENTION

Control: The company retains audit records for [Assignment: company-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and companyal information retention requirements.

Supplemental Guidance: The company retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. The National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal policy on record retention.

INCITS/ISO/IEC 27001-2005 (Annex A) CONTROLS A.10.10.1, A.10.10.2, A.15.1.3

SI-12 INFORMATION OUTPUT HANDLING AND RETENTION

Control: The company handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Supplemental Guidance: The output handling and retention requirements cover the full life cycle of the information, in some cases extending beyond the disposal of the information system. The National Archives and Records Administration provides; guidance on records retention. Related controls: MP-2, MP-4.

INCITS/ISO/IEC 27001-2005 (Annex A) CONTROLS A.10.7.3, A.15.1.3, A.15.1.4, A.15.2.1

NIST SP 800-53A; Guide for Assessing the Security Controls in Federal Information Systems, July 2008

NIST SP 800-60; Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008

NIST SP 800-61; Computer Security Incident Handling Guide, March 2008

Department of Defense STD 5015.2: DoD Records Management Program, June 2002 Section C2.2.9—Systems Management Requirement has several retention requirements within the regulation requiring: - Backup of Stored Records (C2.2.9.1) - Storage of Backup Copies (C2.2.9.2) - Rebuild Capability (C2.2.9.4) - Storage Availability and Monitoring (C2.2.9.5) - External Email Management and Retention (C2.2.10.2)

Section C2.2.9. System Management Requirements. The following functions are typically provided by the operating system or by a database management system. These functions are also considered requirements to ensure the integrity and protection of companyal records. They shall be implemented as part of the overall records management system even though they may be performed externally to an RMA.

Section C2.2.9.1. Backup of Stored Records. The RMA system shall provide the capability to automatically create backup or redundant copies of the records and their metdata. See references (z), (ag) and (am).

Section C2.2.9.2. Storage of Backup Copies. The method used to back up RMA database files shall provide copies of the records and their metadata that can be stored off-line and at separate location(s) to safeguard against loss due to system failure, operator error, natural disaster, or willful destruction. See 36 CFR 1234.30 (reference (at)).

Section C2.2.9.3. Recovery/Rollback Capability. Following any system failure, the backup and recovery procedures provided by the system shall: Section C2.2.9.3.1. Ensure data integrity by providing the capability to compile updates (records, metadata, and any other information required to access the records) to RMAs.

Section C2.2.9.3.2. Ensure these updates are reflected in RMA files, and ensuring that any partial updates to RMA files are separately identified. Also, any user whose updates are incompletely recovered, shall, upon next use of the application, be notified that a recovery has been attempted. RMAs shall also provide the option to continue processing using all in-progress data not reflected in RMA files. See references (z) and (am).

Section C2.2.9.4. Rebuild Capability. The system shall provide the capability to rebuild from any backup copy, using the backup copy and all subsequent system audit trails. See reference (z).

Section C2.2.9.5. Storage Availability and Monitoring. The system shall provide for the monitoring of available storage space. The storage statistics shall provide a detailed accounting of the amount of storage consumed by RMA processes, data, and records. The system shall notify individuals of the need for corrective action in the event of critically low storage space. See reference (z).

Section C2.2.9.6. Safeguarding. The RMA, in conjunction with its operating environment, shall have the capability to activate a keyboard lockout feature and a screen-blanking feature. See reference (c).

National Archives and Records Administration:

NARA Code of Federal Regulations – 36 CFR Part 1222 -- Creation and Maintenance of Federal Records, http://www.archives.gov/about/regulations/part-1222.html

National Archives and Records Administration provides guidance on records retention, http://www.archives.gov/records-mgmt/initiatives/flexible-scheduling.html

NARA Code of Federal Regulations – CFR 36 Part 1224 -- Records Disposition Programs, http://www.archives.gov/about/regulations/part-1224.html

NARA Code of Federal Regulations – 36 CFR Part 1236 -- Electronic Records Management, http://www.archives.gov/about/regulations/part-1236.html