Home page logo

basics logo Security Basics mailing list archives

RE: Data retention Policy/Data Classification Policy
From: "Hall, Spencer D" <shall () stvincentshealth com>
Date: Tue, 9 Oct 2007 16:24:06 -0400

Any data retention policy goes hand in hand with a good data
classification policy.  I would be interested in seeing a data
classification policy geared to healthcare that takes into account the
recent e-retention/e-discovery statue.

Spencer D. Hall
Sr. Technology Engineer/Information Security Officer
Ascension Health - Jacksonville - Southeast Region
St. Vincent's Health Care - Jacksonville
Spencer.hall () jaxhealth com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Palmer, Mark
Sent: Tuesday, October 09, 2007 2:40 PM
To: Hall, Spencer D; security-basics () securityfocus com; dalmada () sisp cv
Subject: RE: Data retention Policy

What "data" is your company retaining?  

A goal of a PCI effort should be to get businesses to stop retaining
unneeded/unnecessary data like credit card numbers.  

Consult your company's legal & finance teams on all data retention
issues.  You will not likely find a definitive "keep x for y number of
(days, months, years, etc...)" as it depends on the scope of data, the
risk the business is willing/unwilling to take, and what policy and
processes the business has in place to deal with data management.    

Mark Palmer  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of dalmada () sisp cv
Sent: Monday, October 08, 2007 11:03 AM
To: security-basics () securityfocus com
Subject: Data retention Policy


Can you point me some good links on data retention/disposal policies. It
is a requirement for PCI compliance.
I have googled, SANS, NIST but any luck.

Thank you in advance 


CONFIDENTIALITY NOTICE: This email message and any accompanying data or files is confidential and may contain 
privileged information intended only for the named recipient(s). If you are not the intended recipient(s), you are 
hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you 
receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, 
delete this email from your computer, and destroy any copies in any form immediately.  Receipt by anyone other than the 
named recipient(s) is not a waiver of any attorney-client, work product, or other applicable privilege.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]