Data Retention and Destruction: Project Boundary Fence
Policy 6.5 | |
---|---|
Approved by: | President |
Responsible Officer: | Director of Digital Forensics Services |
Responsible Office: | Research & Economic Development |
Originally Issued: | 10/23/2023 |
Last Revision: | New |
Category: | Research, Sponsored Programs, and Intellectual Properties |
I. REASON FOR THIS POLICY
The purpose of this policy is to define the activities associated with the provision of data retention and destruction plans and programs that protect the data collected by Dakota State University, DigForCE Lab - Project Boundary Fence, herein referred to as Project Boundary Fence. Additional policies governing data management activities will be addressed separately.
The scope of this data retention and destruction policy is all assessment data collected during assessments conducted by Project Boundary Fence. The policy is applicable to all Project Boundary Fence employees, contractors, and other authorized third-party organizations.
II. DEFINITIONS
- DigForCE Lab. The Digital Forensics for Cyber Enforcement Lab is a free resource for law enforcement agencies in South Dakota. The lab provides forensic expertise by conducting analysis on a variety of digital devices submitted by law enforcement, conducts open-source intelligence investigations for the S.D. Division of Consumer Protection, and trains law enforcement in proper preservation of digital evidence, digital forensics, and open-source intelligence.
- Project Boundary Fence. A free resource for South Dakota county and city governments provided by South Dakota Consumer Protection. Project Boundary Fence helps to secure county and city networks from cyber-attacks through penetration testing on technology infrastructures.
III. STATEMENT OF POLICY
- Compliance Responsibilities.
- The DigForCE Director shall manage data retention and destruction policy compliance with support from Dakota State University department leadership and subject matter experts. The Director shall develop, execute, and periodically test data retention and destruction procedures.
- To achieve compliance, data retention and destruction programs shall include appropriate procedures, and identify staffing and technology resources to meet compliance requirements. Project Boundary Fence employees or other appropriate entities shall routinely perform compliance verification (especially for data destruction).
- Project Boundary Fence shall comply with appropriate industry standards for data retention and destruction in its activities.
- Data Retention and Destruction Plan.
- Project Boundary Fence team members shall develop a comprehensive data retention and destruction plan in accordance with good data management practices as defined by established standards. The plan shall address, but is not limited to, the following components:
- Electronic data stored on electronic media such as CDs, hard disk drives, solid state disk drives, and other appropriate media.
- Data stored on non-electronic media (e.g., paper files).
- Storage requirements and associated metrics (e.g., length of storage, type of storage media) for electronic and non-electronic information.
- Parameters for destruction of electronic data (e.g., overwriting, reformatting, degaussing, firmware-based erasure, physical data media destruction), non-electronic data (e.g., shredding of hard copy), and systems and components (e.g., third-party destruction services).
- Periodic review and testing of the plan in a suitable environment to ensure that data, databases, media, systems, and other relevant elements can be retained or destroyed, and that Project Boundary Fence management and employees understand how the plans are to be executed as well as their roles and responsibilities.
- Project Boundary Fence employees shall implement data retention and destruction plans as appropriate their own roles.
- Project Boundary Fence shall keep data retention and destruction plans and other documents up-to-date.
- Project Boundary Fence team members shall develop a comprehensive data retention and destruction plan in accordance with good data management practices as defined by established standards. The plan shall address, but is not limited to, the following components:
- Data Retention and Destruction Specifications. Data retention and destruction technical requirements:
- Reports. Unless explicitly requested otherwise, Project Boundary Fence shall store client final reports indefinitely.
- Data Storage. Project Boundary Fence shall delete all client assessment data obtained during an engagement 90 days after the delivery of the final client report.
Exclusions
None
Exceptions
A client may request a shorter time period for data storage.
IV. PROCEDURES (MAJOR)
- Data/System Retention Procedures. The Project Boundary Fence team leadership shall store final client reports.
- Data/System Destruction Procedures.
- Before the device leaves the client's network, all information collected is zipped and uploaded to our internal storage system.
- Once the data is in Project Boundary Fence internal storage, it is then marked for deletion. This process is automated to adhere to the data retention policy.
- When the date of expiration is reached for the data, the system will automatically remove all records that pertain to the client.
V. RELATED DOCUMENTS, FORMS AND TOOLS
None
VI.POLICY HISTORY
Adopted: 10/23/2023