Home page logo

basics logo Security Basics mailing list archives

RE: Data retention Policy
From: "Palmer, Mark" <mpalmer () hoovers com>
Date: Tue, 9 Oct 2007 13:39:59 -0500

What "data" is your company retaining?  

A goal of a PCI effort should be to get businesses to stop retaining
unneeded/unnecessary data like credit card numbers.  

Consult your company's legal & finance teams on all data retention
issues.  You will not likely find a definitive "keep x for y number of
(days, months, years, etc...)" as it depends on the scope of data, the
risk the business is willing/unwilling to take, and what policy and
processes the business has in place to deal with data management.    

Mark Palmer  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of dalmada () sisp cv
Sent: Monday, October 08, 2007 11:03 AM
To: security-basics () securityfocus com
Subject: Data retention Policy


Can you point me some good links on data retention/disposal policies. It
is a requirement for PCI compliance.
I have googled, SANS, NIST but any luck.

Thank you in advance 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]