fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

5 Best Practices About Information Retention For Businesses

information retention
Information retention is a process based on the preservation and maintenance of valuable information as long as it necessary.

5 Best Practices About Information Retention For Businesses

Today’s organizations rely on information to fuel their business processes. Whether it’s the healthcare, financial services, hospitality, federal government, retail, telecommunications, or education industries, there’s sensitive assets that malicious hackers can – and will – steal.

With the growing amount of information collected by various organizations and industries, it’s no wonder why creating and enforcing a robust information retention policy is necessary. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what information they need to retain and for how long.

Let’s take a look at some information retention best practices and how following them can help your organization establish and enforce more compliant and useful information retention policy suitable for your organization’s needs.

What is information retention?

Information retention is a process based on the preservation and maintenance of valuable information as long as it necessary, and then discarding it in a safe manner when its existence is no longer necessary.

How to determine appropriate information retention?

Retention requirements exist for certain types of sensitive information or records, for example, sensitive information being processed by a computer system, stored on media or accessed by a staffer. While organizations are free to draft their own information retention policy, they must also adhere to a number of information retention laws, especially if these organizations operate within regulated industries.

Retention requirements exist for certain types of sensitive information or records, for example, sensitive information being processed by a computer system, stored on media or accessed by a staffer.

Types of Information Retention

Hardware retention – Often hardware products are being replaced every 3-5 years. Hardware retention is likely to refer “to retaining [information] until it has been properly sanitized,” as defined in the “7th edition of CISSP Official Study Guide.”

Personnel retention – On the other hand, the same textbook explains another type of information retention – personnel retention – as “the knowledge that personnel gain while employed by an organization.” Non-disclosure agreements (NDAs) signed by employees upon hiring them prevent these people from sharing proprietary information and trade secrets with others.

In practice, hard- and soft-copy information records are not to be “on hold” beyond its legal or useful lifetime. As to the appropriate formality behind a workable information retention policy, one needs to implement a couple of indispensable steps:

  • Document the policy – sometimes simply retaining information is not enough. Federal laws generally require organizations in regulated industries to document the information retention process. Thus, each and every aspect of this process must be written and communicated to everyone who is affected by it
  • Attach an activity log of all activities related to the policy, such as training sessions, auditing checks and results, and record destruction processes
  • Retention goes hand in hand with security – appropriate security measures are necessary to ward off unauthorized access or inadvertent loss or damage to the information
  • Information is to be disposed of properly and securely, in a manner that will render it unusable

Also read: 12 brief explanation about the benefits of data protection for business success

Organizations must also adhere to a number of information retention laws, especially if these organizations operate within regulated industries.

Below Are The 5 Best Practices About Information Retention For Businesses.


1. Build Your Information Retention Policy Development Team

Not only do you want to include your legal team and accounting professionals, but you also want to make sure you include diverse voices within your company who may also hold a stake in the various information in your system. While your instinct may default to “delete,” your accounting manager may hold valid—if not critically important—reasons for retaining certain records.

Key team members to add to your information retention policy development team include:

  • Staff members responsible for information retention settings
  • In-house legal counsel
  • Departmental managers and supervisors
  • Anyone who receives and manages financial reports
  • Anyone who generates financial reports

2. Determine All the Regulations That Are Applicable to Your Business

A few regulatory bodies and acts that determine certain information retention durations and the conditions of information removal include:

  • The Health Insurance Portability and Accountability Act (HIPAA) is related to the healthcare industry and applies to healthcare organizations and any business that works with those organizations.
  • The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial industry.
  • The Internal Revenue Service (IRS) applies to every type of business in any location of the United States.
  • The Children’s Online Privacy Protection Act (COPPA) is another act that applies to all businesses in the United States.
  • The EU’s General Data Protection Regulation (GDPR) applies to any company that does business with a resident of one of the 28 EU’s 28 member states.

This step alone is why it is essential to make sure your information retention policy development team includes a legal expert and your accounting team to thoroughly research any relevant laws, policies and regulations germane to your industry and location.

3. Define the Data to Be Included in Your Information Retention Policy

Regardless of your industry or location, there are some general types of information that you must include within your information retention policy, including:

  • Documents
  • Emails and other electronic documents
  • Customer records
  • Transactional information
  • Spreadsheets
  • Contracts
  • Spreadsheets
  • Correspondence between staff and clients, agents, vendors, shareholders and the public
  • Supplier and partner information
  • Employee records
  • Customer records
  • Sales, invoice and billing information
  • Tax and accounting documentation
  • Financial reports
  • Healthcare and patient information
  • Student and educational information
  • Any other information produced, collected and maintained in the fulfillment of regular business activities

4. Compose Your Information Retention Policy

Once you have determined what happens to old information that you can remove or archive, it is time to formally write your policy. Some of the sections that each information retention policy must include are the:

  • Purpose
  • Applicable Laws, Regulations, Policies, Rules, and Acts
  • Information Retention and Deletion of Schedule
  • Litigation Plan
  • Review and Update Schedule

5. Make Sure All Employees Are Aware of—and Fully Understand—the Company’s Information Retention Policy

Beta News reported the results of a Harris Poll that indicated that 63% of employees do not believe that their companies have policies regarding email retention. Further, if the employees did know that the company had information retention policies, they weren’t aware of what they were. You do not want this scenario for your organization.

You definitely want to keep your employees in the loop when it comes to information retention. You may find it helpful to invite a few employee ambassadors to join occasional information retention policy meetings while you and the rest of the team develop the policy so they can gain a deeper understanding for the reasons for various aspects of the policy.

You never want to leave your vital organizational information to chance at any level, so provide employees with a copy of your information retention policy, once completed. You may also conduct regular training and review sessions to keep everyone up-to-date.

Also read: 4 easy guides to data breach assessment

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us