Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document sets out how organizational records should be protected and their retention rules.
Areas of the framework addressed
The following areas of the Cybersecurity Framework are addressed by this document:
• Protect (PR)
o Data Security (PR.DS)
▪ PR.DS-10
General guidance
This area is closely linked with that of asset management and your information asset inventory should come in useful.
This document refers to USA and UK legislation, but the overall format may be used to identify the applicable legislation in your country.
You may require legal assistance to fully understand which pieces of legislation apply to your organization and their implications for record storage and retention.
Review frequency
We would recommend that this document is reviewed annually and upon significant change to the organization.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions
This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Records Retention and Protection Policy
Revision history
1 Introduction
In its everyday business operations [Organization Name] collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records also varies and is subject to the organization’s security classification scheme (see Information Classification Procedure).
It is important that these records are protected from loss, destruction, falsification, unauthorized access and unauthorized release and range of controls are used to ensure this, including backups, access control and encryption.
[Organization Name] also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records, including those concerned with the protection of personal data.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The following policies and procedures are relevant to this document:
• Privacy and Personal Data Protection Policy
• Asset Inventory
• Information Classification Procedure
• Information Labelling Procedure
• Procedure for the Management of Removable Media
2 Records retention and protection policy
This policy begins by establishing the main principles that must be adopted when considering record retention and protection. It then sets out the types of records held by [Organization Name] and their general requirements before discussing record protection, destruction and management.
2.1 General principles
There are several key general principles that must be adopted when considering record retention and protection policy. These are:
• Records must be held in compliance with all applicable legal, regulatory and contractual requirements, including those related to privacy (for example the EU GDPR)
• Records must not be held for any longer than required
• The protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification
• Records must always remain retrievable in line with business requirements
A summary of the specific requirements of the relevant data protection laws can be found in Legal, Regulatory and Contractual Requirements
2.2 Record types and guidelines
In order to assist with the definition of guidelines for record retention and protection, records held by [Organization Name] are grouped into the categories listed in the table on the following page. For each of these categories, the required or recommended retention period and allowable storage media are also given, together with a reason for the recommendation or requirement.
Note that these are guidelines only and there may be specific circumstances where records need to be kept for a longer or shorter period of time. This should be decided on a case-bycase basis as part of the design of the information security elements of new or significantly changed processes and services.
Further information about records held by the organization, including their security classifications and owners can be found in Asset Inventory
2.3 Use of cryptography
Where appropriate to the classification of information and the storage medium, cryptographic techniques may be used to ensure the confidentiality and integrity of records.
Care must be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organization’s policy on cryptography (see Cryptographic Policy).
2.4 Media selection
The choice of long-term storage media must consider the physical characteristics of the medium and the length of time it will be in use.
Where records are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such records may be taken by methods such as scanning or microfiche. Regular checks must be made to assess the rate of deterioration of the paper and action taken to preserve the records if required.
For records stored on electronic media such as tape, similar precautions must be taken to ensure the longevity of the materials, including correct storage and copying onto more robust media if necessary. The ability to read the contents of the particular tape (or other similar media) format must be maintained by the keeping of a device capable of processing it. If this is impractical an external third party may be employed to convert the media onto an alternative format.
2.5 Record retrieval
There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of record storage facilities must ensure that records can be retrieved in a usable format within an acceptable period of time. An appropriate balance should be struck between the cost of storage and the speed of retrieval so that the most likely circumstances are adequately catered for.
2.6 Record destruction
Once records have reached the end of their life according to the defined policy, they must be securely destroyed in a manner that ensures that they can no longer be used in line with Procedure for the Management of Removable Media.
This procedure allows for the correct recording of the details of disposal which must be retained as evidence.
2.7 Record review
The retention and storage of records must be subject to a regular review process carried out under the guidance of management to ensure that:
• The policy on records retention and protection remains valid
• Records are being retained according to the policy
Records Retention and Protection Policy [Insert classification]
• Records are being securely disposed of when no longer required
• Legal, regulatory and contractual requirements are being fulfilled
• Processes for record retrieval are meeting business requirements
The results of these reviews must be recorded.