Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.


Why does that matter to me?


From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.


So what? I'm not an information security person


The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.