Security and Compliance
Powered By GitBook
DM.7.03 - Data Retention and Disposal Policy

Control Statement

A record retention policy and schedule define data retention and disposal practices to ensure data is properly stored and erased when no longer needed.


Securely disposing of both electronic and physical media adds a layer of protection from the data being disposed by unauthorized persons. There are several effective, publicly available tools and techniques to recover data from electronic and physical media, including hard drives and shredded paper. This control aims to reduce the risk of data being recovered by unauthorized persons and shows customers, IllumiDesk team-members, and partners we take measures to protect their data even after it's done being used.


This control applies to Red and Orange data as defined in the Data Classification Policy


    Control Owner: IT Ops
    Process owner(s):
      IT Ops: 100%


Certificates or logs of erasure should be maintained in accordance with the Record Retention Policy

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Data Retention and Disposal Policy issue.
Examples of evidence an auditor might request to satisfy this control:
    Record Retention Policy
    Record Retention Schedule
    Certificate(s) or log(s) of disposal
    Records indicating media is disposed of when appropriate

Framework Mapping

    SOC2 CC
Last modified 1yr ago