IG1 IG2 IG3

Enforce Data Retention

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Protect

Description

Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Stale Data Targeted in Breach

Confidentiality

Data retained beyond its useful life provides attackers with a larger trove of sensitive information during a breach, including historical records that should have been purged.

Litigation Risk from Over-Retention

Confidentiality

Data retained beyond legal hold or regulatory requirements becomes a liability, subject to discovery in legal proceedings where the organization would prefer the data had been disposed.

Vulnerabilities (When Safeguard Absent)

No Defined Data Retention Timelines

Without minimum and maximum retention periods, data accumulates indefinitely, expanding the attack surface and increasing regulatory exposure.

No Automated Enforcement of Retention Policies

Without enforced retention schedules, data deletion depends on individual judgment, leading to inconsistent practices and perpetual data hoarding.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Retention and Disposal Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access