S6 retention schedules
Download
1 / 14

S6 Retention Schedules - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

S6 Retention Schedules. State Agencies’ Records Retention Schedule S6: Information Systems Records. State of CT Schedules. S1 - Administrative Records (rev. 1/2010) S2 - Personnel Records (rev. 1/2010) S3 - Fiscal Records (rev. 1/2010) S4 - Health Records (rev. 11/2010) NEW

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' S6 Retention Schedules' - nova


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
S6 retention schedules
S6 Retention Schedules

State Agencies’ Records Retention Schedule

S6: Information Systems Records


State of ct schedules
State of CT Schedules

  • S1 - Administrative Records (rev. 1/2010)

  • S2 - Personnel Records (rev. 1/2010)

  • S3 - Fiscal Records (rev. 1/2010)

  • S4 - Health Records (rev. 11/2010) NEW

    • Records Retention Policy for Hospital Closures, Mergers, and Consolidations

  • S5 - Higher Education Records (rev. 1/2010)

  • S6 - Electronic Data Processing Records

    • Now ‘Information Systems Records”

  • S7 - Full-Time Post Secondary Programs in Vocational-Technical School Systems

  • S8 - Correctional Facilities Records

  • S9 - Libraries, Archives and Museums (under development)

  • S10 - Public Safety and Emergency Services Records NEW


S6 information systems records
S6: Information Systems Records

The S6 Records Retention Schedule defines the record types and the retention requirements for records that are commonly generated during evaluation, implementation, management and use of an Information System.

Examples:

Systems Logs, Source Code, Support Records


S6 review committee
S6 Review Committee

Representatives from several State Agencies convened to review the original S6: Data Processing Records retention schedule that was last revised in 1999.

The original schedule was quickly discarded and a new one was created based on current technology and terminology.


S6 general intent
S6: General Intent

  • Defines the minimum length of time the agency/department must maintain the record.

    • These are NOT requirements to “generate” a specific record type – If you don’t generate the record, there is no requirement to maintain it.

    • Generation of the record is based on operating procedures, policies and department functions


S6 disposition
S6: Disposition

Documentation of disposal of log data occurs in two ways:

  • Certificate of Compliance

  • RC-108


Certificate of compliance
Certificate of Compliance

  • Certifies that the department will meet the retention and disposition requirements established by the Office of the Public Records Administrator in State Agencies’ Records Retention/Disposition Schedule S6: Information Systems Records.

  • Allows the agency/department to destroy certain types of records automatically (without an RC-108) so long as the destruction is in accordance with the minimum retention

    • Information Systems Backup Recovery Media

    • Information Systems Data or Database Dictionary Documentation

    • Information Systems Usage Records

    • And many others!


Certificate of compliance1
Certificate of Compliance

  • Compliance with the S6: Information System Records Retention Schedule would be unmanageable without the Certificate Completed Annually

  • Signed certificate must be maintained for 1 year after expiration

  • Must be submitted by June 30th .

  • Download your Certificate of Compliance from

    http://www.cslib.org/publicrecords/opraforms.htm


Rc 108
RC-108

  • Without a Certificate of Compliance, the department must complete an RC-108 to dispose of records. Examples include:

    • For deleting system logs

    • When making modifications to operating procedures

    • Before overwriting backups

    • Download the RC-108 form from here: http://www.cslib.org/publicrecords/opraforms.htm


S6 series 10 administratively valuable
S6,Series 10: Administratively Valuable

  • “Until no longer administratively valuable.”

    • It is recommended that each agency documents how long individual usage records are maintained pursuant to defined administrative value.

  • The same log types on multiple systems may have different values to an organization based on the use or users of a system, application, device, etc.


Iso retention schedule
ISO Retention Schedule

  • Regulations, laws, and business requirements supersede minimum retention requirements.

    • Example – A regulation requires system logs to be maintained for 6 months, but the retention schedule only requires 3 weeks. – Maintain the information for 6 months.

  • Information Security Office examples


Splunk
Splunk

  • The Information Security Office is managing most series 10 related log retention schedules through Splunk.

  • Each index has a custom retention schedule, currently:

    • 1 Week

    • 1 Month

    • 3 Months

    • 4 Months

    • 6 Months

    • 12 Months

    • 18 Months

    • 6 Years (default, if not otherwise configured)

  • Data is automatically purged when it reaches the defined expiration


Splunk1
Splunk

  • Additional custom indexes can be created.

  • Agent install is fast and virtually effortless for basic log types.

  • Supports specialized application and database log files.

  • Log harvesting, parsing and alerting tools.

  • Robust searching and analysis features.

  • Role Based Access Control.


In closing
In Closing

  • S6 has been updated, is clearer, more useable

  • Only logs that are collected apply

  • Certificate of Compliance or RC-108 required for disposal

  • ‘administratively useful’ needs to be documented

  • Splunk is available to any department collecting records

  • Contact the security office for more information.

  • S6 documentation/tools on security.uconn.edu


ad