Retention & Destruction Policy
Version: 2.0
Valid until: 2025-04-12
Classification: Low
Version Management
Version | Author(s) | Change(s) | Date approved |
1.0 | Stefan van Aalst Edward Robinson | Initiation document | 2022-06-08 |
1.1 | Edward Robinson | Additions/changes as part of the periodic review and improvement.
Additions to reflect MDM and remote wiping.
Formatting.
| 2023-10-06
|
2.0 | Edward Robinson | Additions/changes as part of the annual review.
Updated Workspace deletion flow.
Added Workspace archival retention period.
Added wiping of anDREa-managed devices.
| |
Purpose & Background
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the retention and destruction policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
Objective
The objective is:
- To clearly describe the retention and destruction of anDREa-related work.
Retention & Destruction policy
anDREa encourages its employees, seconded personnel, and contractors to work in the anDREa Google Workspace for office tasks or myDRE Workspace/Azure Portal/Dev Ops for myDRE related work. Retention of the different data:
- General Corporate Records including but not limited to minutes, accounting, finance and tax records:
- Permanently unless obsolete and no legal retention period is applicable.
- myDRE interaction logs of but not limited to users, (C)ST and technical support
- Logging for forensic purposes (on special request available)
- 2 years hot, at least 7 years cool or archived
- Logging for workspace members (available to users)
- 90 days
- myDRE user accounts:
- Until requested to be deleted from the AAD.
- Workspace-related data, see below Microsoft Azure Related, this includes:
- Deleted content from OS-disks:
- Policies set on the VM and user.
- VM deletion:
- Data stored on the VM is instant deleted when a VM is deleted and unrecoverable.
- Data deletion from a storage account (the fileshare/Z-drive):
- By default there is a 30-day rolling 24h snapshot.
- Data will become unrecoverable after 30 days.
- Storage account deletion:
- The storage account is protected against "accidental" deletion (resource lock).
- There is a possibility of recovering the data within 14 days:
- However, Microsoft cannot guarantee that it will succeed.
- Workspace deletion (unrecoverable):
- Workspaces can be deleted by the local Research Support team after the proper checks.
- Workspace archival:
- Data retention is as default 15 years, can be changed upon request of Research Support.
- anDREa organizational accounts (Google Workspace) and devices.
- Until no longer part of anDREa organization according to A.7 Human Resource Security.
- Devices owned by anDREa will be remotely wiped clean when the device changes custodian, is decommissioned, or is lost.
- Upon completing a task/ticket and the data is no longer needed, all relevant data must be moved to an anDREa managed environment and deleted beyond recovery from any non-anDREa managed environments such as but not limited to laptops, non-anDREa SharePoints, Teams and Google Drive.
- Upon leaving anDREa B.V. all relevant data must be handed over and deleted beyond recovery from any non-anDREa managed environments such as but not limited to laptops, non-anDREa SharePoints, Teams and Google Drive.
Bear in mind:
- When data is deleted on a storage account it remains 30 days available in the form of a snapshot unless the storage account itself is deleted.
Related Articles
Password Policy
Introduction anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the ...
Log-On Policy
Introduction anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the ...
ISO 27001 - Overview & Statement of Applicability
Introduction This page is the stepping stone to all ISO 27001 related policies and procedures. anDREa's Access Control Policy applies. Some documents, records especially, might not be accessible. Authorized access will be issued based on invitation ...
anDREa B.V. obtains ISO 27001 certification
Version: 2022-09-15 TL;DR: anDREa B.V. obtained ISO 27001 certification. Feel free to download the certificate (attached at the bottom). Introduction anDREa B.V. is committed to protecting the security of its business information in the face of ...
AI/LLM Use Policy
Version: 1.0 Valid until: 2025-03-26 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2024-03-26 Purpose & Background anDREa B.V. (hereafter called anDREa) ...