Ensure Appropriate Asset Retention

There are two aspects to data retention: You should ensure that your organization holds data for as long as required — and also that it securely deletes data that is no longer required, in order to reduce the risk of its exposure.
To determine how long to keep certain data, you need to consider both whether the data is still useful to your organization and whether there are any regulations, legal reasons or company policies requiring its retention. In many cases, a company must keep data for longer than the data provides value; for example, your organization might have a policy to retain email data for 7 years regardless of its value. As part of your comprehensive security policies, you should ensure the destruction of unneeded data.
Besides data, this section also covers the hardware and personnel required to use the data. These are quite important.

• Hardware. Even if you maintain data for the appropriate retention period, it won’t do you any good if you don’t have hardware that can read the data. For example, if you have data on backup tapes and hold them for 10 years, you run the risk of not being able to read the tapes toward the end of the retention period because tape hardware changes every few years. Thus, you must ensure you have the hardware and related software (tape drives, media readers and so on) needed to get to the data that you are saving.

• Personnel. Suppose your company is retaining data for the required time periods and maintaining hardware to read the data. But what happens if the only person who knew how to operate your tape drives and restore data from them no longer works at the company, and the new team is only familiar with disk-to-disk backup? You might not be able to get to your data! By documenting all the procedures and architecture, you can minimize this risk.