Skip to content
BOL Conferences
Forums · Active Threads · Forum Rules · Mark All Read · Log In
BankersOnline.com Forums Banker Forums Security - PUBLIC Retention Period for Incident Response Policy
Thread Options
#380573 - 07/05/05 02:38 PM Retention Period for Incident Response Policy
YosemiteSamIAm Offline
Power Poster
Joined: Jan 2004
Posts: 2,795
Guess
GLBA is unclear on retention. What do you have in your policy? Thanks!
_________________________
Sorry, did I just use my outside voice?

Return to Top
Security - PUBLIC
#380574 - 07/10/05 10:52 PM Re: Retention Period for Incident Response Policy
Susan Silberisen Offline
Junior Member
Susan Silberisen
Joined: Apr 2005
Posts: 31
Arizona
GLBA proposes developing a "defensible" information security posture. As CISO of a National Bank, our policy was to retain a copy of the incident security record and associated forensics files (logs, etc.) for a period of 7 years. However, if the incident was large, created a potential for large reputational risk, could potentially resurface in the future, etc. the policy was to keep the record and associated documentation in perpetuity. Obviously, most banks have none of the last type of record (unless you are very, very, large and an obvious target) which makes it reasonable to establish that type of "defensible" policy.
_________________________
We help banks solve compliance challenges inexpensively. www.appliedintent.com

Return to Top

Moderator:  Andy_Z