Records Retention & Disposal

Purpose

This Bramble records retention and disposal standard lists the specific retention and secure disposal requirements for critical Bramble records. These requirements inform design and maintenance decisions for all Bramble systems.

Scope

The below retention and secure disposal requirements apply to all Bramble records enumerated in the table below.

Roles & Responsibilities:

RoleResponsibility
Security TeamResponsible for reviewing and maintaining this controlled document.
Security OfficerResponsible for approving changes to this controlled document.
Control OwnersResponsible for defining and implementing procedures to support the below requirements.

Retention & Disposal Requirements

RecordRetention RequirementDisposal Requirement
Business continuity plan approvals3 years[GCP Secure Deletion]
Business continuity test results3 years[GCP Secure Deletion]
Production backup tests1 year[GCP Secure Deletion]
Production changes3 years[GCP Secure Deletion]
Security policy review/approvals3 years[GCP Secure Deletion]
Terms of service acceptanceAs long as user is active[GCP Secure Deletion]
Access request/change records1 year[GCP Secure Deletion]
Team-member offboarding issues1 year[GCP Secure Deletion]
System access reviews1 year 3 months[GCP Secure Deletion]
Shared and group authentication reviews1 year 3 months[GCP Secure Deletion]
Prodution audit logs1 year[GCP Secure Deletion]
GCP firewall configuration artifacts1 year[GCP Secure Deletion]
Job roles and responsibilities1 year[GCP Secure Deletion]
Security incident communication to customers3 years[GCP Secure Deletion]
Background check results6 years[GCP Secure Deletion]
1:1 meeting notes6 years[GCP Secure Deletion]
On-boarding tickets1 year[GCP Secure Deletion]
Annual risk assessment report2 years[GCP Secure Deletion]
Risk treatment plans1 year[GCP Secure Deletion]
Security observation issues1 year[GCP Secure Deletion]
Board of Directors meeting minutesIndefiniteN/A
Release notes1 year[GCP Secure Deletion]
Critical system activity logs60 days[AWS Secure Deletion]
Security monitoring alerts/metrics3 years[AWS Secure Deletion]
Vendor security review issues3 years[GCP Secure Deletion]
Customer-signed MSA'sIndefiniteN/A
Vendor NDA'sIndefiniteN/A
Annual security awareness training records3 years[GCP Secure Deletion]
Code of conduct review records3 years[GCP Secure Deletion]
Secure coding training records2 years[GCP Secure Deletion]
Penetration testing reports and remediation issues2 years[GCP Secure Deletion]
System patch records1 year[AWS Secure Deletion]
Source code scanning results1 year[GCP Secure Deletion]
Intercom tickets1 year[GCP Secure Deletion]
Nonpublic information review records3 years[GCP Secure Deletion]
Role-based security training records3 years[GCP Secure Deletion]
Audit log review records3 years[GCP Secure Deletion]
Security assessment reports/observation3 years[GCP Secure Deletion]
Security configuration reviews/alerts3 years[GCP Secure Deletion]
Security authorization records3 years[GCP Secure Deletion]
System connection requirements3 years[GCP Secure Deletion]
Configuration change records3 years[AWS Secure Deletion]
Security impact analysis records3 years[GCP Secure Deletion]
Production asset inventory3 years[GCP Secure Deletion]
BC training records3 years[GCP Secure Deletion]
Production backupsOrganizationally-defined or 90 days[AWS Secure Deletion]
Customer data backupsOrganizationally-defined or 90 days[AWS Secure Deletion]

Exceptions

Exceptions to these requirements will be tracked as per the Information Security Policy Exception Management Process.

References