RE: Data retention Policy

["Palmer, Mark" <mpalmer () hoovers com>]

What "data" is your company retaining?  

A goal of a PCI effort should be to get businesses to stop retaining
unneeded/unnecessary data like credit card numbers.  

Consult your company's legal & finance teams on all data retention
issues.  You will not likely find a definitive "keep x for y number of
(days, months, years, etc...)" as it depends on the scope of data, the
risk the business is willing/unwilling to take, and what policy and
processes the business has in place to deal with data management.    

Mark Palmer  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of dalmada () sisp cv
Sent: Monday, October 08, 2007 11:03 AM
To: security-basics () securityfocus com
Subject: Data retention Policy

Hi,

Can you point me some good links on data retention/disposal policies. It
is a requirement for PCI compliance.
I have googled, SANS, NIST but any luck.

Thank you in advance 

David