Back

Retain records in accordance with applicable requirements.


CONTROL ID
00968
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Determine how long to keep records and logs before disposing them., CC ID: 11661

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A telecommunication service provider must keep records of the information collected in section 10(1), along with any changes in that information. (§ 10(2), South African Interception of Communications Act, No 6/2007)
  • A telecommunication service provider shall store call-related information in accordance with the directive issued under section 12(2). (§ 12(1)(b), South African Interception of Communications Act, No 6/2007)
  • The retention requirement shall be met for retaining information in the form of a data message if the data message information is accessible and usable for subsequent references, when a law requires information to be retained. (§ 9(1)(a), The Electronic Communications and Transactions Act, 2002)
  • The retention requirement shall be met for retaining information in the form of a data message if the data message is in the generated, sent, or received format or in a format that accurately represents the information that was generated, sent, or received, when a law requires information to be reta… (§ 9(1)(b), The Electronic Communications and Transactions Act, 2002)
  • The retention requirement shall be met for retaining information in the form of a data message if the origin, destination, and date and time the data message was sent or received can be determined, when a law requires information to be retained. (§ 9(1)(c), The Electronic Communications and Transactions Act, 2002)
  • Information whose sole purpose is to enable a message to be sent or received does not have to be retained in accordance with section 9(1). (§ 9(2), The Electronic Communications and Transactions Act, 2002)
  • The accreditation authority may determine which records are to be kept and the way and length of time to keep them before accrediting authentication products or authentication services when the products or services are provided by a certification service provider. (§ 30(4)(e), The Electronic Communications and Transactions Act, 2002)
  • A judge shall keep all written confirmations, affidavits, recordings, transcripts, or notes submitted under sections 67(4) and 67(5) for a period of at least 5 years. (§ 67(6), The Electronic Communications and Transactions Act, 2002)
  • A judge shall keep all written confirmations, affidavits, recordings, transcripts, or notes submitted under sections 68(4) and 68(5) for a period of at least 5 years. (§ 68(6), The Electronic Communications and Transactions Act, 2002)
  • A service provider shall ensure proper records are kept for the information collected for entering a contract and any changes to the information. (§ 78(2), The Electronic Communications and Transactions Act, 2002)
  • A service provider shall store call-related information in accordance with the provisions of this act. (§ 79(1)(b), The Electronic Communications and Transactions Act, 2002)
  • subject to subparagraph (ii), 4 years after the day on which they were so entered; (Part 5 Division 3 Section 27(1)(c)(i), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • such longer or shorter period as may be prescribed, either generally or in any particular case, by regulations made under section 70. (Part 5 Division 3 Section 27(1)(c)(ii), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • such that any particulars entered in the log book pursuant to this section are not erased therefrom before the expiration of- (Part 5 Division 3 Section 27(1)(c), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Standard § II.3(7): The procedures, results, identified deficiencies, and remedial actions of the information on the assessment of internal control over financial reporting should be recorded and retained. Practice Standard § II.3(7)[1]: The following information should be recorded and retained b… (Standard § II.3(7), Practice Standard § II.3(7)[1], Practice Standard § II.3(7)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization shall manage access records by keeping an audit trail for the required period of time. (T37, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should keep security videos for a predetermined amount of time, based on the frequency of customer notification and other conditions. (O45.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Documents (records of revision, request forms for revision, etc.) should be retained for a specified period of time depending on the significance of files concerned. (P29.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Records of the procedures (persons in charge, date and time, details of procedures, etc.) should be retained for a certain period. (P30.3. ¶ 1(3), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In the transactions conducted through CD/ATM, in preparation for any unauthorized use of counterfeit or stolen cards, it is recommended proper functions should be provided to record and manage the transaction information and other required logs. (P10.7. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When taking out backed-up documents, it is necessary to obtain approval from the responsible person in the department and keep the record for a predetermined period. (P45.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Additionally, when taking out backed-up data, it is necessary to obtain approval from the person responsible for the department, and to keep the record for a predetermined period. (P39.3. ¶ 4, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In addition, when conducting the maintenance and inspection of facilities, it is necessary to request individual reports on the work to be done in advance, and to compile and retain the results after the work has been completed, as acceptance records. (P54.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The report of the impact assessment on personal information protection and the processing record shall be retained for at least three years. (Article 56 ¶ 2, Personal Information Protection Law of the People's Republic of China)
  • Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, - (§ III.7 (1), India Information Technology Act 2008, 2008)
  • Ensuring record retention requirements are met based on the information owner's requirements (Information custodian ¶ 1 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to ma… (Article 43(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. (Article 58(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A process to collect, process, review and retain system logs should be established to facilitate the FI's security monitoring operations. These logs should be protected against unauthorised access. (§ 12.2.2, Technology Risk Management Guidelines, January 2021)
  • Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion. (Security Control: 1213; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australia's Administrative Functions Disposal Authority Express Version 2 publication. (Security Control: 0859; Revision: 3, Australian Government Information Security Manual, March 2021)
  • DNS and proxy logs are retained for at least 18 months. (Security Control: 0991; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Following sanitisation, highly classified non-volatile flash memory media retains its classification. (Security Control: 0360; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Backups of important data, software and configuration settings are retained in a secure and resilient manner. (Control: ISM-1811; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years. (Control: ISM-0859; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Event logs for Domain Name System services and web proxies are retained for at least 18 months. (Control: ISM-0991; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. (Control: ISM-1511; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Backups of important data, software and configuration settings are retained in a secure and resilient manner. (Control: ISM-1811; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years. (Control: ISM-0859; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Event logs for Domain Name System services and web proxies are retained for at least 18 months. (Control: ISM-0991; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. (Control: ISM-1511; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The organization must keep a copy of the decisions to grant noncompliance with any control. (Control: 0003, Australian Government Information Security Manual: Controls)
  • The organization should transfer the raw audit trails to media for secure archiving and secure the manual log records for retention. (Control: 0138 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should store network traffic for at least 7 days after the cyber security incident. (Control: 1213, Australian Government Information Security Manual: Controls)
  • The organization should keep a copy of the Access record for the life of the system to which Access has been granted. (Control: 0407 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must keep event logs for at least 7 years after the action is completed in accordance with the national archives of australia's Administrative Functions Disposal Authority. (Control: 0859, Australian Government Information Security Manual: Controls)
  • The organization should keep Domain Name Server logs and proxy logs for at least 18 months. (Control: 0991, Australian Government Information Security Manual: Controls)
  • The organization should keep audit trails in accordance with business requirements, legal requirements, and regulatory requirements. (¶ 75, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should store the network traffic for at least the last seven (7) days. (Mitigation Strategy Effectiveness Ranking 35, Strategies to Mitigate Targeted Cyber Intrusions)
  • The maximum permissible period for retaining personal information of the type listed in sections 18e(1)(b)(i), 18e(1)(b)(ia), 18e(1)(b)(ii), 18e(1)(b)(iii), or 18e(1)(b)(iv) is 5 years commencing on the day the credit report was sought. (§ 18F(2)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(v) is 14 days commencing on the day the credit reporting agency is notified that the credit provider is no longer a current credit provider for the individual. (§ 18F(2)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(vi) is 5 years commencing on the day the credit reporting agency was notified of the overdue payment. (§ 18F(2)(c), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(vii) is 5 years commencing on the day that the second dishonoring of the check occurred. (§ 18F(2)(d), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(viii) is 5 years commencing on the day the court judgment was made. (§ 18F(2)(e), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(ix) is 7 years commencing on the day the bankruptcy order was made. (§ 18F(2)(f), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(b)(x) is 7 years commencing on the day the information was included in the credit information file. (§ 18F(2)(g), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The maximum permissible period for retaining personal information of the type listed in section 18e(1)(ba) is 5 years commencing on the day the credit reporting agency is notified of the overdue payment. (§ 18F(2A), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may retain possession of documents produced for the investigation for any period necessary for the investigation. (§ 44(2A)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting pro… (3.4.2 31(d), Final Report EBA Guidelines on ICT and security risk management)
  • Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the regi… (4.11 53, Final Report on EBA Guidelines on outsourcing arrangements)
  • Providers that are credit institutions regulated by Directive 2013/36/EU shall maintain the technical documentation as part of the documentation concerning internal governance, arrangements, processes and mechanisms pursuant to Article 74 of that Directive. (Article 18 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Providers of high-risk AI systems shall keep the logs automatically generated by their high-risk AI systems, to the extent such logs are under their control by virtue of a contractual arrangement with the user or otherwise by law. The logs shall be kept for a period that is appropriate in the light … (Article 20 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • keep a copy of the EU declaration of conformity and the technical documentation at the disposal of the national competent authorities and national authorities referred to in Article 63(7); (Article 25 2(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The provider shall draw up a written EU declaration of conformity for each AI system and keep it at the disposal of the national competent authorities for 10 years after the AI system has been placed on the market or put into service. The EU declaration of conformity shall identify the AI system for… (Article 48 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the technical documentation referred to in Article 11; (Article 50 ¶ 1(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the documentation concerning the quality management system referred to Article 17; (Article 50 ¶ 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the documentation concerning the changes approved by notified bodies where applicable; (Article 50 ¶ 1(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the decisions and other documents issued by the notified bodies where applicable; (Article 50 ¶ 1(d), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the EU declaration of conformity referred to in Article 48. (Article 50 ¶ 1(e), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Are results of these audits reported to management, documented and retained? (Performance evaluation ¶ 5, ISO 22301: Self-assessment questionnaire)
  • Is the documented information controlled in a way that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the organization for the BCMS? (Support ¶ 6, ISO 22301: Self-assessment questionnaire)
  • Is there a procedure for issuing alerts and warnings and is this communication regularly exercised and records kept of the results? (Operation ¶ 25, ISO 22301: Self-assessment questionnaire)
  • The results of the conducted reviews are recorded and retained. (1.5.1 Requirements (must) Bullet 5, Information Security Assessment, Version 5.1)
  • Firms are required to keep written records in circumstances where all possible means of identifying the beneficial owner of a body corporate have been taken and the beneficial cannot be identified satisfactorily or at all. In circumstances where the beneficial owner of a body corporate cannot be ide… (3.2.4 ¶ 5, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Firms must keep copies of any documents and information obtained to meet CDD requirements and sufficient supporting records for transactions for five years after the business relationship ends or five years after an occasional transaction. However, records relating to transactions occurring in a bus… (3.2.11 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Part II ¶ 19: The organization must keep the documents that demonstrate it has established an excuse from a liability for employing an illegal migrant worker during the period of employment and for not less than 2 years after employment has been terminated. Part II ¶ 23: The organization should a… (Part II ¶ 19, Part II ¶ 23, Part II ¶ 43, Part IV ¶ 2, Part IV ¶ 6, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • The entity retains PI consistent with its objectives related to privacy. (U4.2, Privacy Management Framework, Updated March 1, 2020)
  • PI is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. (U4.2 Retains PI, Privacy Management Framework, Updated March 1, 2020)
  • The entity creates and retains a complete, accurate and timely record of authorized disclosures of PI to meet the entity's objectives related to privacy. (D6.2, Privacy Management Framework, Updated March 1, 2020)
  • The entity creates and retains a complete, accurate and timely record of detected or reported unauthorized disclosures (including breaches) of PI to meet the entity's objectives related to privacy. (D6.3, Privacy Management Framework, Updated March 1, 2020)
  • Smelters and refiners should maintain the information generated by the traceability system and the chain of custody for at least 5 years and make the information available to downstream purchasers. (Supplement on Tin, Tantalum, and Tungsten Step 1: C.3(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should maintain records for at least 5 years, preferably in a computerized database. (Supplement on Tin, Tantalum, and Tungsten Step 1: C.5(2), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should maintain records for at least 5 years, preferably in a computerized database. (Supplement on Gold Step 1: § I.C.5, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • In addition, organisations must retain records on the implementation of their EU-U.S. DPF practices and make them available upon request in the context of an investigation or a complaint about non-compliance to an independent dispute resolution body or competent enforcement authority. (2.2.7 (46), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In other cases of removal, such as voluntary withdrawal from participation or failure to recertify, the organisation must either delete or return the data, or may retain it, provided it affirms to the DoC on an annual basis its commitment to continue to apply the Principles or provides adequate prot… (2.3.2 (55), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Does the CSP have any business, legal or regulatory requirements that could impact retention of client data? (Appendix D, Protect Cardholder Data Bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Enable historical logging of wireless access that can provide granular wireless device information and store event logs and statistics for at least 12 months (with 90 days immediately accessible). (4.3.5 B, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Examine the data retention and disposal policies, procedures, and processes to verify they include the legal requirements, business requirements, and regulatory requirements for data retention, including specific retention requirements. (Testing Procedures § 3.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the anti-virus configurations, including the master installation, to verify that the anti-virus logs are retained in accordance with Payment Card Industry Data Security Standard requirement 10.7. (Testing Procedures § 5.2.d Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the audit logs to verify they are kept for at least 1 year. (Testing Procedures § 10.7.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify at least 3 months of audit logs can be immediately restored for analysis. (Testing Procedures § 10.7.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure audit trails are retained for at least 1 year and must have the last 3 months available for immediate analysis. (§ 10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The audit trail history must be kept for at least 1 year, with a minimum of 3 months available for immediate analysis. (PCI DSS Requirements § 10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that all anti-virus mechanisms are maintained as follows: - Are kept current, - Perform periodic scans - Generate audit logs which are retained per PCI DSS Requirement 10.7. (5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Retention of records and documentation for at least 12 months, covering all BAU activities (A3.3.3 Bullet 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (10.7 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? (3.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? (3.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Does all stored cardholder data meet the requirements defined in the data-retention policy? (3.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? (3.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Retention of records and documentation for at least 12 months, covering all BAU activities. (A3.3.3 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine anti-malware solution(s) configurations to verify logs are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is data storage amount and retention time limited to that required legal, regulatory, and business requirements? (PCI DSS Question 3.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is data storage amount and retention time limited to that required legal, regulatory, and business requirements? (PCI DSS Question 3.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is data storage amount and retention time limited to that required legal, regulatory, and business requirements? (PCI DSS Question 3.1(a), PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All logging-generated data should be maintained for a defined time period after which the data should be destroyed. The retention period should be based on regulatory and audit requirements, corporate policies, the access being logged, and data storage constraints. (§ 3.4.5 ¶ 2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • Records of any nonconformities and the actions that were taken and concessions that were obtained shall be maintained. (§ 4.2.7 ¶ 5, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization shall retain test data for a minimum of 5 years. (§ 4.2.6.2 ¶ 1, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization shall retain all summary reports, inspection and test data results, and images for a minimum of 5 years. (§ 4.2.6.8.1 ¶ 1, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization shall maintain records of all audits and their results. (§ 4.2.11 ¶ 4, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization must develop, implement, and maintain procedures to set parameters for document retention and archiving. (§ 4.4.5 ¶ 2(e), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Contracts regarding customer access to the organization's business applications should be retained by an appropriate business function (e.g., the procurement or legal department). (CF.05.02.01d, The Standard of Good Practice for Information Security)
  • Contracts regarding customer access to the organization's business applications should be retained by an appropriate business function (e.g., the procurement or legal department). (CF.05.02.01d, The Standard of Good Practice for Information Security, 2013)
  • Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs. (LOG-02, Cloud Controls Matrix, v4.0)
  • Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations. (DSP-16, Cloud Controls Matrix, v4.0)
  • Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. (CIS Control 8: Audit Log Management, CIS Controls, V8)
  • Retain audit logs across enterprise assets for a minimum of 90 days. (CIS Control 8: Safeguard 8.10 Retain Audit Logs, CIS Controls, V8)
  • The project plan shall be stored in the medical Information Technology network Risk Management file. (§ 4.5.2.3 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall keep records for a period at least equivalent to the medical device lifetime, but not less than 2 years from the product release date or as specified by regulatory requirements. (§ 4.2.4 ¶ 2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the nature of the nonconformities and any subsequent actions taken; (§ 10.2 ¶ 3 Bullet 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the results of any corrective action. (§ 10.2 ¶ 3 Bullet 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall retain documented information as evidence of its communications, as appropriate. (§ 7.4.1 ¶ 4, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall maintain documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 5, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall retain appropriate documented information as evidence of the monitoring, measurement, analysis and evaluation results. (§ 9.1.1 ¶ 6, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall retain documented information as evidence of the compliance evaluation result(s). (§ 9.1.2 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Organizations should retain documented information as evidence of its communications, as appropriate, in order to: (7.4.1 ¶ 6, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Documented information in the form of processes, plans and programmes, for example, should be maintained, as appropriate, to ensure consistency, timeliness and repeatability of outcomes. Documented information in the form of records should be retained as evidence of the results achieved or activitie… (7.5.1 ¶ 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Written procedures for conducting monitoring, measurement, analysis and evaluation can help to provide consistency, reproducibility and reliability of the data produced. The results of monitoring, measurement analysis and evaluation should be retained as documented information. (9.1.1 ¶ 9, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization should retain documented information as evidence of its evaluation of compliance. This could include: (9.1.2 ¶ 11, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization should retain documented information on the implementation process as a basis for planning and implementing improvements, and as evidence of achievements. (§ 6.1 ¶ 9, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The organization shall verify that project closure documentation is kept after the project is closed. (§ 6.2.3.3(c)(2).note, ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall maintain organizational access information. (§ 6.2.4.3(d)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall archive the records and results of the project in accordance with the agreement. (§ 6.3.2.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall maintain a record of all opportunities and problems in accordance with agreements and procedures and in a way to allow auditing and learning from experience. (§ 6.3.3.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define the information, in accordance with legislation, agreements, or policy, it will maintain for a defined period after the system lifecycle is complete. (§ 6.3.6.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Continuing retention is addressed as a method of disposition. If a record is to be retained for a longer period of time, the standard offers three methods: copying, conversion and migration. (§ 4.3.9.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • All records that are created or captured must have a retention period assigned to them. (§ 4.2.4.2 ¶ 6, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as specified in the audit programme. Retention of documented information after audit completion is described in 6.6. Documented information created during the audit process invol… (§ 6.3.4 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Documented information pertaining to the audit should be retained or disposed of by agreement between the participating parties and in accordance with audit programme and applicable requirements. (§ 6.6 ¶ 2, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The organization should retain documented information on the compliance risks and on the planned actions to address them. (§ 6.1 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should retain documented information on the compliance objectives and on the planned actions to achieve them. (§ 6.2 ¶ 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should retain appropriate documented information as evidence of the results. (§ 9.1.1 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should retain documented information as evidence of the results of management reviews and a copy should be provided to the governing body. (§ 9.3 ¶ 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the results of any corrective action. (§ 10.1.1 ¶ 3 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • recorded and retained. (§ 7.2.2 ¶ 4 j), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Records shall be kept to show the organization conforms to the requirements and the effective operation of the service management system. (§ 4.3.3 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall maintain management review records. (§ 4.5.4.3 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall retain documented information on the business continuity policy. (§ 5.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall retain documented information on the business continuity objectives. (§ 6.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall retain appropriate documented information as evidence of the results. (§ 9.1.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • — take action when necessary to address adverse trends or results before a nonconformity occurs, and — retain relevant documented information as evidence of the results. (§ 9.1.1 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 5, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action. (§ 10.1 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall retain documented information on the business continuity objectives. (§ 6.2.1 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned. (§ 8.1 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the nature of the nonconformities and any subsequent actions taken; (§ 10.1.3 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall retain appropriate documented information as evidence of the results. (§ 9.1 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall retain documented information as evidence of the results of management reviews. It shall: (§ 9.3.3.2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall retain documented information as evidence of: (§ 10.1.3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the results of any corrective action. (§ 10.1.3 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 4, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information on the information security objectives. (§ 6.2 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information about the information security risk assessment process. (§ 6.1.2 ¶ 2, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information of the results of the information security risk assessments. (§ 8.2 ¶ 2, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information of the results of the information security risk treatment. (§ 8.3 ¶ 2, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the nature of the nonconformities and any subsequent actions taken, and (§ 10.1 ¶ 3 f), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. (§ 9.1 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the results of any corrective action. (§ 10.1 ¶ 3 g), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information about the information security risk treatment process. (§ 6.1.3 ¶ 2, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall retain documented information on the compliance risk assessment and on the actions to address its compliance risks. (§ 4.6 ¶ 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall retain documented information on the investigation. (§ 8.4 ¶ 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • retain documented information as evidence of its communications, as appropriate; (§ 7.4 ¶ 2 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Documented information shall be available as evidence of the results. (§ 9.1.1 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the results of any corrective action. (§ 10.2 ¶ 3 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the nature of the nonconformities or noncompliances, or both, and any subsequent actions taken; (§ 10.2 ¶ 3 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Documented information shall be available as evidence of the results of management reviews. (§ 9.3.3 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes. (§ 6.1.3 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall retain documented information as evidence of its communications, as appropriate. (§ 7.4.1 ¶ 6, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall retain appropriate documented information: (§ 9.1.1 ¶ 5, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • maintaining and retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned; (§ 8.1.1 ¶ 1 c), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall maintain and retain documented information on the process(es) and on the plans for responding to potential emergency situations. (§ 8.2 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • on the maintenance, calibration or verification of measuring equipment. (§ 9.1.1 ¶ 5 Bullet 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • retain documented information of the compliance evaluation result(s). (§ 9.1.2 ¶ 2 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 5, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • maintaining and retaining documented information as evidence of continual improvement. (§ 10.3 ¶ 1 e), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the results of any action and corrective action, including their effectiveness. (§ 10.2 ¶ 4 Bullet 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall retain documented information as evidence of: (§ 10.2 ¶ 4, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the nature of the incidents or nonconformities and any subsequent actions taken; (§ 10.2 ¶ 4 Bullet 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization's methodology(ies) and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodo… (§ 6.1.2.2 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • § 8.3: For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall keep retrievable records of the history of configuration items and the system configuration. § 9.5: For software systems assigned to Class A, Class B, and Class C so… (§ 8.3, § 9.5, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The organization shall retain appropriate documented information as evidence of the results. (9.1.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain documented information as evidence of the results of management reviews. (9.3.3 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the results of any corrective action. (10.2.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources. (7.1.5.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • design and development changes; (8.3.6 ¶ 2(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the results of reviews; (8.3.6 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented inform… (8.4.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain documented information on the release of products and services. The documented information shall include: (8.6 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain documented information on design and development outputs. (8.3.5 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information; (7.1.5.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the nature of the nonconformities and any subsequent actions taken; (10.2.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred. (8.5.3 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • documented information of these activities is retained. (8.3.4 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • retain documented information to have confidence that the processes are being carried out as planned. (4.4.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall maintain documented information on the quality objectives. (6.2.1 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain documented information on design and development inputs. (8.3.3 ¶ 4, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • on the results of the review; (8.2.3.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • on any new requirements for the products and services. (8.2.3.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • describes any concessions obtained; (8.7.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • describes the actions taken; (8.7.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • describes the nonconformity; (8.7.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • identifies the authority deciding the action in respect of the nonconformity. (8.7.2 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall retain appropriate documented information as evidence of the results. (§ 9.1.1 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the results of any corrective action. (§ 10.1 ¶ 3 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information on the compliance objectives. (§ 6.2 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information on the compliance risk assessment and on the actions to address its compliance risks. (§ 6.4 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information as evidence of its communications, as appropriate. (§ 7.4 ¶ 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall retain documented information on the investigation. (§ 8.4 ¶ 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the results of any corrective action. (Section 10.1 ¶ 3 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain documented information as evidence of the results of management reviews. (Section 9.3 ¶ 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • keeping documented information to the extent necessary to have confidence and evidence that the processes have been carried out as planned; and (Section 8.1 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain documented information about the IT asset risk assessment process. (Section 6.1.2 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain appropriate documented information as evidence of the results of monitoring, measurement, analysis and evaluation. (Section 9.1 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain documented information about the IT asset risk treatment process. (Section 6.1.3 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain documented information on the IT asset management objectives. (Section 6.2.3 ¶ 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the nature of the nonconformities or incident and any subsequent actions taken; and (Section 10.1 ¶ 3 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall retain documented information as evidence of the results of management reviews. (§ 9.3 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall retain documented information on the service management objectives. (§ 6.2.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • the results of any corrective action. (§ 10.1.2 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • the nature of the nonconformities and any subsequent actions taken; (§ 10.1.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall retain appropriate documented information as evidence of the results. (§ 9.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall retain documented information about the information security risk assessment process. (§ 6.1.2 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall retain documented information on the information security objectives. (§ 6.2 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall retain documented information of the results of the information security risk treatment. (§ 8.3 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall retain documented information of the results of the information security risk assessments. (§ 8.2 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Documented information shall be available as evidence of the results. (§ 9.1 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results. (§ 9.2.2 ¶ 4, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Documented information shall be available as evidence of the results of management reviews. (§ 9.3.3 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the results of any corrective action. (§ 10.2 ¶ 3 g), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall retain documented information about the information security risk treatment process. (§ 6.1.3 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Documented information may be retained in any form, e.g. traditional documents (in both paper and electronic form), web pages, databases, computer logs, computer generated reports, audio and video. Moreover, documented information may consist of specifications of intent (e.g. the information securit… (§ 7.5.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization performs information security risk assessments and retains documented information on their results. (§ 8.2 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization should establish the appropriate retention period for documented information according to its intended validity and other relevant requirements. The organization should ensure that information is legible throughout its retention period (e.g. using formats that can be read by availab… (§ 7.5.3 Guidance ¶ 5, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization implements the information security risk treatment plan and retains documented information on the results of the information security treatment. (§ 8.3 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Documented information from management reviews is required. It should be retained to demonstrate that consideration has been given to (at least) all the areas listed in ISO/IEC 27001, even where it is decided that no action is necessary. (§ 9.3 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • specification of records to be kept. (§ 7.4 ¶ 1 Bullet 6, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The entity retains personal information consistent with the entity's objectives related to privacy. (P4.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. (P4.2 ¶ 2 Bullet 1 Retains Personal Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy. (P6.3 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Prior versions of the privacy notice are retained in accordance with internal requirements to document prior communications. (P1.1 ¶ 2 Bullet 7 Retains Prior Notices, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained to support the achievement of entity objectives related to privacy. (P3.2 ¶ 2 Bullet 2 Documents Explicit Consent to Retain Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Confidential information is retained for no longer than necessary to fulfill the identified purpose, unless a law or regulation specifically requires otherwise. (C1.1 ¶ 2 Bullet 2 Retains Confidential Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have. (Part 1 Division 1 Section 8 (8) Retention of information, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough … (Schedule 1 4.5.2, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Data is maintained, stored, retained and destroyed according to the organization's data retention policy. (PR.IP-6.1, CRI Profile, v1.2)
  • The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time. (PR.PT-1.2, CRI Profile, v1.2)
  • The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods. (DE.CM-1.1, CRI Profile, v1.2)
  • Data is maintained, stored, retained and destroyed according to the organization's data retention policy. (PR.IP-6.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time. (PR.PT-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should keep personal information for no longer than is necessary for the identified purposes, unless specifically required by a law or regulation. (Generally Accepted Privacy Principles and Criteria § 5.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should keep, store, and dispose of backup copies and archived copies of records in accordance with the retention policies. (Table Ref 5.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should verify that personal information is not kept longer than the retention time, unless a justified legal reason or business reason exists. (Table Ref 5.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • After the documentation completion date, the practitioner should not delete or discard documentation of any nature before the end of its retention period. (AT-C Section 105.36, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. (P4.2 Retains Personal Information, Trust Services Criteria)
  • Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. (P3.2 Documents Explicit Consent to Retain Information, Trust Services Criteria)
  • The entity retains personal information consistent with the entity's objectives related to privacy. (P4.2, Trust Services Criteria)
  • The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy. (P6.3, Trust Services Criteria)
  • The entity retains personal information consistent with the entity's objectives related to privacy. (P4.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. (P3.2 ¶ 2 Bullet 2 Documents Explicit Consent to Retain Information, Trust Services Criteria, (includes March 2020 updates))
  • Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise. (P4.2 ¶ 2 Bullet 1 Retains Personal Information, Trust Services Criteria, (includes March 2020 updates))
  • The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy. (P6.3 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • The entity retains confidential information to meet the entity’s confidentiality commitments and system requirements. (C1.7, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The entity retains personal information consistent with the entity’s privacy commitments and system requirements. (P4.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • System output is complete, accurate, distributed, and retained to meet the entity’s processing integrity commitments and system requirements. (PI1.5, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The Licensee shall maintain records concerning all Cybersecurity Events for a period of at least five years from the date of the Cybersecurity Event and shall produce those records upon demand of the Commissioner. (Section 5.D, Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Annually, each insurer domiciled in this State shall submit to the Commissioner, a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in Section 4 of this Act. Each insurer shall maintain for examination by the Department all records, sched… (Section 4.I ¶ 1, Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information. (Section 19.D, Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • The Responsible Entities shall keep data or evidence of each Requirement in this Reliability Standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Communications between Control Centers CIP-012-1, Version 1)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Communications between Control Centers CIP-012-1, Version 1)
  • Each applicable entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Each applicable entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • Each applicable entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Each applicable entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Retain records related to Reportable Cyber Security Incidents. (CIP-008-5 Table R2 Part 2.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-5, Version 5)
  • Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Incident Reporting and Response Planning CIP-008-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-2, Version 2)
  • The applicable entity shall retain evidence of each requirement in this standard for three calendar years. (B. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-3, Version 3)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (B. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Information Protection CIP-011-3, Version 3)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Security Perimeter for at least ninety calendar days. (CIP-006-6 Table R1 Part 1.9 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three ca… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Physical Security of BES Cyber Systems CIP-006-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records. (C. 1. 1.2. ¶ 2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • Each Responsible Entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances. (CIP-007-6 Table R4 Part 4.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records, subject to the confidentiality provisions of Section 1500 of the Rules of Procedure and the provisions of Section 1.4 below. (C. 1. 1.2. ¶ 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • The responsible entities shall retain documentation as evidence for three years. (C. 1. 1.2. ¶ 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • The responsible entities shall retain documentation as evidence for three years. (C. 1. 1.2. ¶ 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • The CEA shall keep the last audit records and all requested and submitted subsequent audit records, subject to the confidentiality provisions of Section 1500 of the Rules of Procedure and the provisions of Section 1.4 below. (C. 1. 1.2. ¶ 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • On UNIX computers or Linux computers that transmit scoped data, are Operating System logs retained for at least one year? (§ G.16.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are Operating System logs retained for at least one year? (§ G.16.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are logs retained for at least one year? (§ G.17.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are logs retained for at least one year? (§ G.17.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are logs retained for at least one year? (§ G.17.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are logs retained for at least one year? (§ G.18.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are logs retained for at least one year? (§ G.18.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are logs retained for at least one year? (§ G.18.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are logs retained for at least one year? (§ G.19.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are logs retained for at least one year? (§ G.19.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are logs retained for at least one year? (§ G.19.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are logs retained for at least one year? (§ G.20.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are logs retained for at least one year? (§ G.20.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, are logs retained for at least one year? (§ G.20.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are logs retained for at least 1 year? (§ V.1.72.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • § 422.504(d): A Medicare Advantage (MA) organization must maintain records, books, documents, and other evidence of their accounting procedures and practices for 10 years. These documents must be sufficient to accommodate periodic auditing; enable Centers for Medicare & Medicaid Services (CMS) to i… (§ 422.504(d), § 495.8(c)(2), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • System and components must be archived and maintained for 3 years after the system is retired. (§ 2.10, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 1.8.8: The organization must final risk determinations and approvals, residual risk, and written agreements on the security controls that are used. CSR 1.12.7: The organization must keep inspection reports, including self-assessment reports, corrective actions, and supporting documentation, for … (CSR 1.8.8, CSR 1.12.7, CSR 2.1.11, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 2.10: The system security plan and all accredited versions must be archived in accordance with federal requirements. The system and components must be archived and maintained for 3 years after the system is retired. § 3.4: Security documents that are used to support the C&A process must be kept … (§ 2.10, § 3.4, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • An operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect again… (§ 312.10 ¶ 1, 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Provided, however, that if such associated person has been registered as a registered representative of such member, broker or dealer with, or the associated person's employment has been approved by a registered national securities association or a registered national securities exchange, then reten… (§ 240.17a-3 (a)(12)(i) (I), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • The records required by § 240.17Ad-6(a)(1), (3)(i), (6) or (11) shall be maintained for a period of not less than two years, the first six months in an easily accessible place. (§ 240.17Ad-7(a), 17 CFR Part 240.17Ad-7 - Record retention)
  • The records required by § 240.17Ad-6(a) (2), (3)(ii), (4), (5) or (7) shall be maintained for a period of not less than two years, the first year in an easily accessible place. (§ 240.17Ad-7(b), 17 CFR Part 240.17Ad-7 - Record retention)
  • The records required by § 240.17Ad-6(a) (8), (9) and (10) and (b) shall be maintained in an easily accessible place during the continuance of the transfer agency and shall be maintained for one year after termination of the transfer agency. (§ 240.17Ad-7(c), 17 CFR Part 240.17Ad-7 - Record retention)
  • The records required by § 240.17Ad-6(c) shall be maintained for a period of not less than six years, the first six months in an easily accessible place. (§ 240.17Ad-7(d), 17 CFR Part 240.17Ad-7 - Record retention)
  • All records required under § 240.17f-2(d) until at least three years after the termination of employment of those persons required by § 240.17f-2 to be fingerprinted; and (§ 240.17Ad-7(e)(1), 17 CFR Part 240.17Ad-7 - Record retention)
  • Maintain separately from the originals duplicates of the records and the index that you store on electronic storage media or micrographic media. You may store the duplicates of the indexed records on any medium permitted by this section. You must preserve the duplicate records and index for the same… (§ 240.17Ad-7(f)(2)(v), 17 CFR Part 240.17Ad-7 - Record retention)
  • The records required by §§ 240.17Ad-17(d) and 240.17Ad-19(c) shall be maintained for a period of not less than three years, the first year in an easily accessible place. (§ 240.17Ad-7(i), 17 CFR Part 240.17Ad-7 - Record retention)
  • Be preserved for the same time that is required by this section for the underlying records. (§ 240.17Ad-7(f)(4)(ii), 17 CFR Part 240.17Ad-7 - Record retention)
  • Security controls to preserve the integrity of records. No SEC rules further address continued retention. (§ 240.17Ad-7(3)(i), 17 CFR Part 240.17Ad-7, Record retention)
  • Make, keep, and preserve records relating to all such SCI events; and (§242.1002(b)(5)(i), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The agency or institution shall maintain the record with the education records of the student as long as the records are maintained. (§ 99.32(a)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • All records required to be kept by the Bank Secrecy Act (BSA) must be retained for 5 years. (Pg 8, Obj 3 (Reporting, Record Keeping, and Record Retention), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Review a sample of records to determine if the organization retained the records for at least 5 years. (Pg 8, Obj 3 (Reporting, Record Keeping, and Record Retention), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of 5(a). This obligation does not prevent organizations from processing personal information for longer periods for the time and to the ext… (II.5.b., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with u… (§ III.7.e., EU-U.S. Privacy Shield Framework Principles)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (§ II.5.a., EU-U.S. Privacy Shield Framework Principles)
  • Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of 5(a). This obligation does not prevent organizations from processing personal information for longer periods for the time and to the ext… (ii.5.b., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their Swiss-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non- compliance to the independent dispute resolution body responsible for investigating complaints or … (iii.7.e., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of 5(a). This obligation does not prevent organizations from processing personal information for longer periods for the time and to the ext… (II.5.b., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization should keep the records on how it implements the safe harbor principles and make them available for an investigation or complaint about noncompliance. (FAQ-Verification ¶ 3, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The CSP will maintain captured incident information for at least 90 days from the submission of the required cyber incident report to allow DoD to request the information or decline interest. This requirement applies to the underlying infrastructure supporting IaaS, PaaS, and SaaS, the systems and a… (Section 6.5.4.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The audit records must be retained for at least one year. (ECRR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The end users' non-disclosure forms should be treated and retained as official records. (PRNK-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The audit records must be retained for 5 years, if it contains Source and Methods Intelligence. (ECRR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Records on personnel removed from the system must be retained for 90 days. Classified material that is received or generated under a contract may be retained by the contractor for 2 years after completion of the contract. Destruction records for Top Secret material must be kept for 2 years. Records … (§ 5-313.i, § 5-701, § 5-707, § 5-902.d, § 5-902.e, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Records shall be kept for a time period equal to the design and expected life of the device, but not less than 2 years from the commercial distribution release date. (§ 820.180(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Provide records and compliance reports. A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered e… (§ 160.310(a), 45 CFR Part 160 - General Administrative Requirements)
  • Signed authorizations must be documented and retained in accordance with § 164.530(j). (§ 164.508(b)(6), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Copies of the notices issued by the covered entity must be retained to document its compliance with the notice requirements, along with the written acknowledgments and documentation of the efforts to obtain acknowledgment. (§ 164.520(e), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Agreed upon restrictions must be documented in accordance with § 164.530(j). (§ 164.522(a)(3), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The titles of the offices or persons responsible to receive and process amendment requests must be documented and retained in accordance with § 164.530(j). (§ 164.526(f), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The following must be documented and retained in accordance with § 164.530(j): the required information in an accounting for disclosures of protected health information that are subject to an accounting; the written accounting provided to an individual; and the titles of the offices or persons resp… (§ 164.528(d), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. (§ 164.316(b)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation… (§ 164.520(e), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specification: Documentation. A covered entity must document the following and retain the documentation as required by §164.530(j): (§ 164.524(e), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). (§ 164.526(f), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later. (§ 164.530(j)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The written accounting that is provided to the individual under this section; and (§ 164.528(d)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and (§ 164.530(j)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. (§ 164.530(j)(1)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Documented evidence of all test input data, testing procedures, and test results for user site testing should be kept. (§ 5.2.6 ¶ 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • User site testing records should be maintained for proper system performance and system failures. (§ 5.2.6 ¶ 8, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The agency shall track and document security incidents on an ongoing basis. The CSA ISO shall maintain completed security incident reporting forms until the subsequent FBI triennial audit or until legal action (if warranted) is complete; whichever time-frame is greater. (§ 5.3.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall retain audit records for at least one (1) year. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for e… (§ 5.4.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Logs of access privilege changes shall be maintained for a minimum of one year or at least equal to the agency's record retention policy – whichever is greater. (§ 5.5.2.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • A log shall be maintained for a minimum of one (1) year on all NCIC and III transactions. The III portion of the log shall clearly identify both the operator and the authorized receiving agency. III logs shall also clearly identify the requester and the secondary recipient. The identification on the… (§ 5.4.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall retain audit records for at least one (1) year. Once the minimum retention time period has passed, the agency shall continue to retain audit records until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for e… (§ 5.4.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Logs of access privilege changes shall be maintained for a minimum of one year or at least equal to the agency's record retention policy – whichever is greater. (§ 5.5.2.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The agency shall track and document security incidents on an ongoing basis. The CSA ISO shall maintain completed security incident reporting forms until the subsequent FBI triennial audit or until legal action (if warranted) is complete; whichever time-frame is greater. (§ 5.3.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A log shall be maintained for a minimum of one (1) year on all NCIC and III transactions. The III portion of the log shall clearly identify both the operator and the authorized receiving agency. III logs shall also clearly identify the requester and the secondary recipient. The identification on the… (§ 5.4.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Audit log records and other security event logs are reviewed and retained in a secure manner. (Domain 2: Assessment Factor: Monitoring and Analyzing, MONITORING AND ANALYZING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Log retention policies that meet incident response and analysis needs. (App A Objective 6.35.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Archived data should be retained in accordance with the retention requirements. System documentation should be archived in case a system needs to be reinstalled into the production environment. (Pg 32, FFIEC IT Examination Handbook - Development and Acquisition)
  • The monitoring system is automated and accumulates entries for a period at least as long as the average ACH debits return time (60-75 days). (App A Tier 2 Objectives and Procedures H.5 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the institution duplicates or retains transaction files for input reconstruction for a minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return and adjustment entries, transmitted to and received from the ACH for a period of six years after … (App A Tier 2 Objectives and Procedures L.3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should retain copies of telephone recordings of payment orders for at least 30 days. (Pg 19, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is neces… (§ 314.4 ¶ 1(c)(6)(i), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • The audit trail documentation shall be retained for at least as long as required for the electronic records being audited and shall be available to be reviewed and copied by the Food and Drug Administration. (§ 11.10(e), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • The service provider must keep audit records online for at least 90 days. (Column F: AU-11, FedRAMP Baseline Security Controls)
  • The service provider must keep audit records offline for a period in accordance with the National Archives and Records Administration requirements. (Column F: AU-11, FedRAMP Baseline Security Controls)
  • The organization retains audit records for [FedRAMP Assignment: at least one (1) year] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains individual training records for [FedRAMP Assignment: five (5) years or 5 years after completion of a specific training program]. (AT-4b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization retains audit records for [FedRAMP Assignment: at least ninety days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains individual training records for [FedRAMP Assignment: at least one year]. (AT-4b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Retains individual training records for [FedRAMP Assignment: at least one year]. (AT-4b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization retains audit records for [FedRAMP Assignment: at least ninety days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Retain individual training records for [FedRAMP Assignment: five (5) years or 5 years after completion of a specific training program]. (AT-4b., FedRAMP Security Controls High Baseline, Version 5)
  • Retain audit records for [FedRAMP Assignment: a time period in compliance with M-21-31] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Retain audit records for [FedRAMP Assignment: a time period in compliance with M-21-31] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Retain individual training records for [FedRAMP Assignment: at least one (1) year or 1 year after completion of a specific training program]. (AT-4b., FedRAMP Security Controls Low Baseline, Version 5)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retain audit records for [FedRAMP Assignment: a time period in compliance with M-21-31] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retain individual training records for [FedRAMP Assignment: at least one (1) year or 1 year after completion of a specific training program]. (AT-4b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21 b., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Ensure that a currently authorized agency, contractors, or sub-contractor retain FTI in accordance with Publication 1075 security standards (1.7.1.2 ¶ 1 Bullet 1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information. Certain safeguards must be implemented to prevent unauthorized access and use. Besides written requests, the IRS may require formal agreeme… (1.1 ¶ 2, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • This recordkeeping must include internal requests among agency employees as well as requests outside of the agency. These records are required to track the movement of FTI. The records are to be maintained for a minimum of five (5) years. The Safeguards website contains guidance, job aids, helpful t… (2.A.1 ¶ 2, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Retain individual training records for a period of five (5) years. (AT-4 b., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Retain audit records seven (7) years to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 ¶ 1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • The initial certification and recertification must be documented and placed in the agency’s files for review and retained for at least five (5) years. (2.D.2.1 ¶ 7, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Inspection reports, including a record of corrective actions, must be retained by the agency for a minimum of five years from the date the inspection was completed. IRS personnel may review these reports during a safeguard review. A summary of the agency’s findings and the actions taken to correct… (2.D.3 ¶ 7, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements. (SI-12 ¶ 1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • All correspondence requiring HOA signature must be in the form of a handwritten (aka. Wet) signature or a digital certificate signature. The HOA can delegate individuals to sign these documents on their behalf. To do so, the HOA must provide a delegation of authority for individual they will assign … (2.E.2 ¶ 2 Bullet 2, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Retention of Records. A credit union must maintain a copy of any SAR that it files and the original or business record equivalent of all supporting documentation to the report for a period of five years from the date of the report. Supporting documentation must be identified and maintained by the cr… (§ 748.1 (c)(3), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Does the Credit Union keep the disposal index permanently? (IT - Compliance Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the documentation retained for the change process and the approval process? (IT - IDS IPS Q 30, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the documentation of the verification of the custom signatures retained? (IT - IDS IPS Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any NARA records retention schedules that may apply. If the CSP opts to retain records in the absence of any mandatory requirements, the CSP SHALL conduct a ri… (4.2.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any NARA records retention schedules that may apply. If the CSP opts to retain records in the absence of any mandatory requirements, the CSP SHALL conduct a ri… (4.3.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The CSP shall comply with its respective records retention policies in accordance with applicable laws, regulations, and policies, including any National Archives and Records Administration (NARA) records retention schedules that may apply. If the CSP opts to retain records in the absence of any man… (4.1.5 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • When WLAN components are disposed of, the organization should ensure the audit records for that component are retained according to legal and organizational requirements. (Table 8-6 Item 58, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure paper and digital media are stored according to the highest FIPS 199 security category until they are destroyed or sanitized in accordance with approved procedures; media is stored in a consistent fashion and stored securely at all ti… (MP-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Collect and maintain data needed to meet system cybersecurity reporting. (T0024, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must keep the individual training records for a predetermined period of time. (App F § AT-4.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Collect and maintain data needed to meet system cybersecurity reporting. (T0024, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization retains individual training records for {organizationally documented time period}. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization retains audit records for {organizationally documented time period consistent with records retention policy} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization retains individual training records for {organizationally documented time period}. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains audit records for {organizationally documented time period consistent with records retention policy} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains individual training records for {organizationally documented time period}. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains audit records for {organizationally documented time period consistent with records retention policy} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains individual training records for {organizationally documented time period}. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains audit records for {organizationally documented time period consistent with records retention policy} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Retains individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and (AR-8b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that the security attribute associations are made and retained with the information; (AC-16b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. (SA-12(14) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information]. (SC-28(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]. (SC-28(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure that the attribute associations are made and retained with the information; (AC-16b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retain individual training records for [Assignment: organization-defined time period]. (AT-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]. (SC-28(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and (PM-21b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensure that the attribute associations are made and retained with the information; (AC-16b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. (SI-12 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. (SA-12(14) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Licensees must retain all records and the supporting technical documentation required to satisfy this section's requirements until the license for which the records were developed has been terminated by the Nuclear Regulatory Commission. Superseded portions of records must be retained for at least 3… (§ 73.54(h), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • All documents should contain information on specific retention periods for all data, records, and documents. (§ I.A, App A § IV.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Audit documentation must be retained for 7 years. If additional documentation needs to be added after the audit report release date, the additional documentation should indicate the date the information was added, who prepared the additional documentation, and why it was added to the audit report. (¶ 14, PCAOB Auditing Standard No. 3)
  • The practitioner should adopt reasonable procedures to retain attest documentation for a period of time sufficient to meet the needs of his or her practice and to satisfy any applicable legal or regulatory requirements for records retention. (AT 101.104, Public Company Accounting Oversight Board Attestation Standards, Section 101)
  • Documents submitted to the Commission that require a signature should be retained by the filer for 5 years. (§ 240.16a-3(i), 17 CFR Part 240.16a-3, Reporting Transactions and Holdings)
  • Criticality assessment(s); (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 2, Pipeline Security Guidelines)
  • Training records; (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 3, Pipeline Security Guidelines)
  • Corporate Security Plan; (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 1, Pipeline Security Guidelines)
  • Document the methodology used, and retain the criticality assessment until no longer valid; (4.2 ¶ 1 Bullet 2, Pipeline Security Guidelines)
  • Security drill or exercise reports; (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 4, Pipeline Security Guidelines)
  • Incident response plan(s); (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 5, Pipeline Security Guidelines)
  • Security testing and audits. (Table 1: Recordkeeping Baseline Security Measures Cell 2 Bullet 6, Pipeline Security Guidelines)
  • Site-specific measures. (Table 1: Recordkeeping Enhanced Security Measures Cell 2 Bullet 2, Pipeline Security Guidelines)
  • If a covered entity determines that notice is not required under this section, the entity shall document the determination in writing and maintain records concerning the determination for no less than five years. (§ 8-38-5 (f), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (Section 27-62-5(e), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Each insurer domiciled in this state, annually on or before February 15, shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this chapter. Each insurer shall maintain for examination by the department all records, sched… (Section 27-62-4(i), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Notwithstanding (a) of this section, disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information h… (§ 45.48.010 (c), Alaska Statute Title 45 Chapter 48 Article 1 Section 45.48.010 thru 45.48.09, Breach of Security Involving Personal Information)
  • A person or business shall retain a copy of the written determination of a breach of the security of the system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system. (§ 4-110-105 (g)(1), Arkansas Code Annotated Title 4 Subtitle 7 Chapter 110 Section 4-110-105, Disclosure of security breaches)
  • A licensee shall retain the authorization or a copy thereof in the record of the individual who is the subject of nonpublic personal health information. (Regulation 6-4-1 § 19 D., Colorado Code of Regulations, Section 702-6, Consumer Protection (General))
  • Annual Certification to Commissioner of Domiciliary State. Except as provided in subdivision (10) of this subsection, each insurer domiciled in this state shall submit to the Insurance Commissioner a written statement, not later than February fifteenth, annually, certifying that such insurer is in c… (Part VI(c)(9), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Each licensee that is subject to the provisions of this subsection shall maintain records concerning each cybersecurity event for a period of at least five years from the date of such cybersecurity event, and shall produce such records to the Insurance Commissioner upon demand by the commissioner. (Part VI(d)(4), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • as otherwise required under state and federal law; (¶ 4e-70(b)(4)(E), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • Maintain for the Department's examination all records, schedules, and data supporting a certificate under this subsection for a period of 5 years. (§ 8604.(i)(2), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • A licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon the Commissioner's demand. (§ 8605.(d), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • A book service provider, upon the written request of a law-enforcement entity, shall take all necessary steps to preserve records and other evidence in the book service provider's possession of a user's book service information related to the use of a book or part of a book, pending receipt of a req… (§ 1206C(c), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)
  • Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in id… (¶ 501.171(4)(c), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • Notwithstanding paragraph (a), notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in id… (501.171 (4)(c), Florida Statutes, Title XXXIII Chapter 501 Section 171, Security of confidential personal information)
  • Each insurer shall maintain all records, schedules, and data supporting this certificate for a period of five years for examination by the commissioner. (§431:3B-208(b), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (§431:3B-301(d), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Annually, not later than April 15, each insurer domiciled in Indiana shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in sections 16 through 19 of this chapter and this section. Each insurer shall maintain for examinati… (Sec. 20.(c), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • A licensee shall maintain records concerning all cybersecurity events for at least five (5) years after the date of the cybersecurity event. A licensee shall produce these records upon demand of the commissioner. (Sec. 21.(b), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Notwithstanding subsection 1, notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose pe… (715C.2 6., Iowa Code Title XVI Chapter 715C, Personal Information Security Breach Protection)
  • An insurer domiciled in this state shall annually submit to the commissioner on or before April 15 a written certification that the insurer is in compliance with this section. Each insurer shall maintain all records, schedules, documentation, and data supporting the insurer’s certification for fiv… (507F.4 8., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • A licensee shall maintain all records and documentation related to the licensee’s investigation of a cybersecurity event for a minimum of five years from the date of the event, and shall produce the records and documentation upon demand of the commissioner. (507F.6 4., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • If the agency determines that the misuse of personal information has not occurred and is not likely to occur, the agency is not required to give notice, but shall maintain records that reflect the basis for its decision for a retention period set by the State Archives and Records Commission as estab… (61.933 (1)(b) 2., Kentucky Revised Statutes Title VIII Chapter 61 Sections 931 thru 934, Personal Information Security and Breach Investigations)
  • Notification as provided in this Section shall not be required if after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state. The person or business shall retain a copy of the written determination and supporting … (§ 3074. I., Louisiana Revised Statutes Chapter 51, Database Security Breach Notification Law)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (§2505.D., Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Each insurer shall maintain for examination by the commissioner all records, schedules, and data supporting the certificate for a period of five years. (§2504.I.(2), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Maintenance of records. A licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon demand of the superintendent. (§2265 3., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Annual certification to superintendent. By April 15th annually, an insurance carrier domiciled in this State shall submit to the superintendent a written statement certifying that the insurance carrier is in compliance with the requirements set forth in this section. An insurance carrier shall maint… (§2264 9., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • If after the investigation required under paragraph (1) of this subsection is concluded, the business determines that notification under paragraph (2) of this subsection is not required, the business shall maintain records that reflect its determination for 3 years after the determination is made. (§ 14?3504. (b)(4), Maryland Code Commercial Law Title 14 Subtitle 35 Sections 3504 thru 3507, Security Breach)
  • By February 15 of each year, each insurer domiciled in this state shall submit to the director a written statement, certifying that the insurer is in compliance with the requirements of this section. Each insurer shall maintain for examination by the department all records, schedules, and data suppo… (Sec. 555.(9), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • The licensee shall maintain records concerning all cybersecurity events for at least 5 years from the date of the cybersecurity event and shall produce those records on demand of the director. (Sec. 557.(3), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • Subject to paragraph (b), by April 15 of each year, an insurer domiciled in this state shall certify in writing to the commissioner that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain all records, schedules, and data supporting this certific… (§ 60A.9851 Subdivision 9(a), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Records. The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (§ 60A.9852 Subdivision 4, Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Annually, each insurer domiciled in this state shall submit to the commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and d… (§ 83-5-807 (9), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five (5) years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (§ 83-5-809 (4), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Notwithstanding subdivisions (1) and (2) of this subsection, notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity thef… (§ 407.1500. 2.(5), Missouri Revised Statutes Title XXVI Chapter 407 Section 1500, Definitions — notice to consumer for breach of security, procedure — attorney general may bring action for damages)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon demand of the commissioner. (§ 420-P:5 IV., New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Annually, each insurer domiciled in this state shall submit to the commissioner, a written statement by March 1, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and data… (§ 420-P:4 IX., New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a re… (§ 56:8-163 12.a., New Jersey Statutes Title 56 Chapter 8 Section 163, Disclosure of breach of security to customers)
  • Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years. (§ 500.06 Audit Trail (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Each covered entity shall maintain for examination and inspection by the department upon request all records, schedules and other documentation and data supporting the certification or acknowledgment for a period of five years, including the identification of all areas, systems and processes that re… (§ 500.17 Notices to Superintendent (b)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Each covered entity shall maintain records required by paragraph (a)(1) of this section for not fewer than five years and shall maintain records required by paragraph (a)(2) of this section for not fewer than three years. (§ 500.6 Audit Trail (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information,… (§ 899-aa. 2. (a), Consolidated Laws of New York General Business GBS Chapter 20 Article 39-F Section 899-AA, Notification; person without valid authorization has acquired private information)
  • Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information,… (§ 899-AA. 2(a), New York General Business Law Chapter 20, Article 39-F, Section 899-aa, Notification; person without valid authorization has acquired private information)
  • Annually, an insurer domiciled in this state shall submit to the commissioner, a written statement by April fifteenth, certifying the insurer is in compliance with the requirements set forth in this section. An insurer shall maintain for examination by the department all records, schedules, and data… (26.1-02.2-03. 10., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce the records upon demand of the commissioner. (26.1-02.2-04. 4., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • By the fifteenth day of February of each year, unless otherwise permitted to file on the first day of June in division (I)(2) of this section, each insurer domiciled in this state shall submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with th… (Section 3965.02 (I)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the superintendent of insurance. (Section 3965.03 (D), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • A controller shall retain for at least five years all data protection assessments the controller conducts under this section. (Section 8 (6), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • A controller shall retain for at least five years all data protection assessments the controller conducts under this section. (Section 8 (6), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Notwithstanding subsection (1) of this section, a covered entity does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the co… (646A.604 (8), Oregon Revised Statutes Volume 16 Title 50 Chapter 646A Section 604, Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement)
  • Notwithstanding subsection (1) of this section, a person does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the person reasonably determines that the consumers whose pe… (§ 646A.604(7), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Annually, each insurer domiciled in this State shall submit to the director, a written statement by February fifteenth, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules, … (SECTION 38-99-20. (I), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and produce those records upon demand of the director. (SECTION 38-99-30. (D), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Following the discovery by or notification to an information holder of a breach of system security an information holder shall disclose in accordance with § 22-40-22 the breach of system security to any resident of this state whose personal or protected information was, or is reasonably believed to… (22-40-20. ¶ 1, South Dakota Codified Laws Chapter 22 Article 40 Sections 19 thru 26, Notice of breach of system security)
  • Notice of breach of system security--Exception. Following the discovery by or notification to an information holder of a breach of system security an information holder shall disclose in accordance with § 22-40-22 the breach of system security to any resident of this state whose personal or protect… (§ 22-40-20 ¶ 1, South Dakota Codified Laws, Title 22 Crimes, Chapter 40 Identity Crimes, Sections §§ 22-40-19 to 22-40-26, Data Breach Notification Law)
  • Each insurer domiciled in this state shall submit to the commissioner by April 15 of each year written certification that the insurer is in compliance with this section. Each insurer shall maintain for examination by the department all records, schedules, and data supporting the certification for a … (§ 56-2-1004 (9)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The licensee shall maintain records concerning all cybersecurity events for a period of at least five (5) years from the date of discovery of the cybersecurity event and shall provide those records to the commissioner upon request. (§ 56-2-1005 (d), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • If the licensee conducts an investigation or review of a potential or suspected cybersecurity event and determines that an event is not a cybersecurity event, then the licensee must reduce that determination to writing and maintain that writing for a period of at least five (5) years from the date o… (§ 56-2-1005 (e), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, TX-RAMP Security Controls Baseline Level 1)
  • Retains individual training records for [TX-RAMP Assignment: At least one year]. (AT-4b., TX-RAMP Security Controls Baseline Level 1)
  • The organization retains audit records for [TX-RAMP Assignment: at least ninety days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. (SI-12 Control, TX-RAMP Security Controls Baseline Level 2)
  • Retains individual training records for [TX-RAMP Assignment: At least one year]. (AT-4b., TX-RAMP Security Controls Baseline Level 2)
  • The organization retains audit records for [TX-RAMP Assignment: at least ninety days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. (AU-11 Control, TX-RAMP Security Controls Baseline Level 2)
  • accurately reflects the health record after it was first generated and in its final form as an electronic health record or otherwise; and (§ 164(a)(1), US Virgin Islands Bill No. 29-0036, Electronic Medical Records Act)
  • Each licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the Commissioner. (§ 38.2-624.D., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and an… (§ 38.2-623.H., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Annual certification to commissioner. Beginning in 2023, a licensee who is domiciled in this state shall annually submit, no later than March 1, to the commissioner a written certification that the licensee is in compliance with the requirements of this section. The licensee shall maintain all recor… (§ 601.952(8), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
  • The licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years starting from the date of the cybersecurity event and shall produce the records upon demand of the commissioner. (§ 601.953(3), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
  • The agency or institution shall maintain the record with the education records of the student as long as the records are maintained. (§ 99.32(a)(2), 34 CFR Part 99, Family Educational Rights and Privacy)
  • compliance with a legal or regulatory obligation by the controller; (Art. 16.I, Brazilian Law No. 13709, of August 14, 2018)
  • study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (Art. 16.II, Brazilian Law No. 13709, of August 14, 2018)