Protection of Records

Summary

Records should be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, in accordance with legislative, regulatory, contractual, and business requirements. This ensures the long-term integrity and availability of essential organizational data.

Applicability

In-Scope: Critical for meeting legal retention requirements (e.g., tax laws, employment records, and regulatory filings). It is essential for proving compliance during audits or legal proceedings.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Retention Policies: Use Microsoft Purview Data Lifecycle Management to configure retention labels that prevent the deletion of specific records for a defined period (e.g., 7 years).

• Immutability: Apply Retention Locks to sensitive record categories to ensure that even administrators cannot delete or modify the data until the retention period expires.

• Integrity Monitoring: Enable Microsoft Purview Audit to maintain a tamper-evident record of who accessed or modified specific files.

Evidence Checklist

• Records Retention Schedule: A document defining how long different categories of records must be kept and when they should be destroyed.

• Retention Logs: Reports from Microsoft Purview showing active retention policies and labels.

• Destruction Certificates: Records showing that outdated data was securely disposed of in accordance with the retention policy.

Practical Audit Advice

Here are some questions the auditor might ask:

• How did the organization determine the retention periods for different types of sensitive business records?

• In the event of a system failure, how do you ensure that archived records remain accessible and readable?

• What process is in place to ensure that records are securely destroyed once their retention period has ended?

• Can you provide evidence that your critical records are protected against unauthorized modification or deletion?