Page 332 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 332
Most hardware is on a refresh cycle, where it is replaced every three to
five years. Hardware retention primarily refers to retaining it until it
has been properly sanitized.
Personnel retention in this context refers to the knowledge that
personnel gain while employed by an organization. It’s common for
organizations to include nondisclosure agreements (NDAs) when
hiring new personnel. These NDAs prevent employees from leaving
the job and sharing proprietary data with others.
Retention Policies Can Reduce Liabilities
Saving data longer than necessary also presents unnecessary legal
issues. As an example, aircraft manufacturer Boeing was once the
target of a class action lawsuit. Attorneys for the claimants learned
that Boeing had a warehouse filled with 14,000 email backup tapes
and demanded the relevant tapes. Not all of the tapes were relevant
to the lawsuit, but Boeing had to first restore the 14,000 tapes and
examine the content before they could turn them over. Boeing
ended up settling the lawsuit for $92.5 million, and analysts
speculated that there would have been a different outcome if those
14,000 tapes hadn’t existed.
The Boeing example is an extreme example, but it’s not the only
one. These events have prompted many companies to implement
aggressive email retention policies. It is not uncommon for an
email policy to require the deletion of all emails older than six
months. These policies are often implemented using automated
tools that search for old emails and delete them without any user
or administrator intervention.
A company cannot legally delete potential evidence after a lawsuit
is filed. However, if a retention policy dictates deleting data after a
specific amount of time, it is legal to delete this data before any
lawsuits have been filed. Not only does this practice prevent
wasting resources to store unneeded data, it also provides an
added layer of legal protection against wasting resources by
