Data Retention

The purpose of this policy is to ensure the City has procedures in place to retain and archive documents according to a wide variety of requirements.

Deletion or modification of computer files and/or data without prior consent of the owner or authorized party shall be prohibited.
The City will maintain a data retention policy, disposition authority, and retention schedule.
Personnel must ensure retention policies are consistently adhered to while working with all related types of media.

The organization should define and implement procedures for data storage and archival, so data remain accessible and usable. The procedures should consider retrieval requirements, cost-effectiveness, continued integrity and security requirements. Establish storage and retention arrangements to satisfy legal, regulatory and business requirements for documents, data, archives, programs, reports and messages (incoming and outgoing) as well as the data (keys, certificates) used for their encryption and authentication. DS11.2, CobiT 4.1
The organization should create a policy for retaining records associated with an audit or review for 7 years. Any documents that are created, sent, or received and contain opinions, financial data, or conclusions about the audit or review should be included in the policy. § 210.2-06(a)(1), § 210.2-06(a)(2), Retention of Audit and Review Records, SEC 17 CFR 210.2-06