A data retention policy defines how long different categories of data must be kept before they can be securely deleted. Retention requirements come from regulatory mandates like HIPAA (six years for certain records) and SEC rules (seven years for financial records), legal holds, and business needs.
Keeping data longer than necessary increases both storage costs and breach exposure. Organizations that delete data on schedule reduce both their attack surface and their regulatory risk.
CISSP Relevance
Data retention is covered in Domain 2 (Asset Security) under data lifecycle management. CISSP candidates must understand how retention schedules balance legal requirements against security risk and how secure data destruction fits into the process.
External reference: HHS HIPAA Record Retention Requirements
Related terms: Data Classification, Compliance