Information Retention and Disposal Policy
Source basis
Ported from policies/Core 12 Security Policy - Information Asset Retention Guidelines.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.
Confidential Information
| Type of Information | Retention Period |
|---|---|
| Employee Records | Termination of employment + 5 years |
| Employee Candidate Records | 5 years |
| Accounting / Financial Documents | 7 years |
| Internal PII (Mailing Lists, Leads, etc.). | 5 years |
| Client Data / PII (Distribution Lists, Application Data, etc.) | 2 years or as agreed upon with Client, no more than 5 years. |
Internal Information
| Type of Information | Retention Period |
|---|---|
| Project Documentation | Indefinitely |
| Project Assets | Indefinitely |
| Internal Memorandum / Communications | Indefinitely |
| Policies and Procedures | Indefinitely |
| Email Messages (w/o Confidential Information) | Indefinitely |
Public Information
| Type of Information | Retention Period |
|---|---|
| Marketing Brochures | Indefinitely |
| Press Releases | Indefinitely |
| Website Content | Indefinitely |
| Social Media Content | Indefinitely |
Information Asset Disposal
All Information assets including paper and digital records must be properly disposed in accordance with the Core 12 Security Policy - Information Management Schedule.
-
Managed devices that are not assigned to an employee must be wiped completely and stored securely until an IT Disposal pickup is scheduled.
-
All IT Disposals must be done by an approved 3rd Party Vendor and a certificate of disposal must be retained.
-
Cloud providers security policies regarding disposal are reviewed regularly.