Deep Dive - Data Retention/Deletion

Strike Graph's default control language states, "Procedures are in place to remove data from production based on retention schedules, contract requirements, and deletion rules that are applied to specific forms of data; disposals are tracked; a data disposal process is in place. These procedures are reviewed, updated, and approved as needed."

This language should be customized to reflect the specific process that your organization has defined. For example, if your procedures are based on a different set of parameters or if your procedures are reviewed at a different frequency, then you should update the control language to reflect that. It's important that your stated control description accurately reflects how your organization implements this control.

Data retention/deletion addresses what happens to data after it has been used. Data retention/deletion documentation standardizes and dictates how long data is stored, when it is disposed, and how it is disposed. These periods are defined in your Data Retention Policy (sometimes referred to as a Record Retention Schedule).

The SOC 2 Security criteria (SOC2:2017.CC.6.5) stipulates that an organization must “identify data and software for disposal,” and “remove data and software from entity control.” However, this criteria does not enforce strict time requirements regarding when data must be disposed/destroyed. Those periods are up to each organization to define for themselves.

When thinking about data retention/deletion from a SOC 2 perspective, consider how your organization handles your clients’/customers’ data. Ask yourselves: how do we handle customer data in the event that a customer terminates their contract with us?

When it comes time for your organization’s audit, the audit team will reference your organization’s policies (which state when data should be disposed, what type of data should be disposed, and how data is disposed).

For a Type 1 audit, you can simply provide evidence from the most recent data disposal event; this may be a ticket from your ticketing tool, like Jira. If you have not yet performed a data disposal, an attestation of non-occurrence can be provided.

For a Type 2 audit, the auditors will reference the Terminated Customer List to ensure that data was properly disposed of for each terminated customer. The auditors will check the retention period for customer data stated on your Data Retention Policy, and they will cross reference that with the terminated customer list and the data disposal list you provide to ensure that a disposal actually occurred when the retention period for a given terminated customer's data expired.

The Data Disposal List is simply a system generated listing of all data disposals that occurred during your organization’s monitoring period. The Parameters evidence item showcases the filters that were used to create the listing. More information regarding Populations (Lists) and Parameters can be found here.

In the event that no customers were terminated during your organization’s monitoring period (and, therefore, no data disposals are required), an attestation of non-occurrence can be provided.

Also, note that all data retention/deletion schedules can be revised to best fit your organization’s internal practices. Your team can and should update data disposal cadences within the Strike Graph templates as you wish.

If your organization is not familiar with data destruction, the following list should provide you with helpful insight:

Whichever method you use, be sure that the disposal is tracked via a ticketing system or tracking sheet so that evidence of the disposal can be provided to the auditors.