State Agencies’ Records Retention Schedule

S6: Information Systems Records

S6 Retention Schedules

State of CT Schedules

S1 - Administrative Records (rev. 1/2010)

S2 - Personnel Records (rev. 1/2010)

S3 - Fiscal Records (rev. 1/2010)

S4 - Health Records (rev. 11/2010) NEW

– Records Retention Policy for Hospital Closures, Mergers, and Consolidations

S5 - Higher Education Records (rev. 1/2010)

S6 - Electronic Data Processing Records

– Now ‘Information Systems Records”

S7 - Full-Time Post Secondary Programs in Vocational-Technical School Systems

S8 - Correctional Facilities Records

S9 - Libraries, Archives and Museums (under development)

S10 - Public Safety and Emergency Services Records NEW

S6: Information Systems Records

The S6 Records Retention Schedule defines the record types and the retention requirements for records that are commonly generated during evaluation, implementation, management and use of an Information System.

Examples:

Systems Logs, Source Code, Support Records

S6 Review Committee

Representatives from several State Agencies convened to review the original S6: Data Processing Records retention schedule that was last revised in 1999.

The original schedule was quickly discarded and a new one was created based on current technology and terminology.

S6: General Intent

Defines the minimum length of time the agency/department must maintain the record.

– These are NOT requirements to “generate” a specific record type – If you don’t generate the record, there is no requirement to maintain it.

– Generation of the record is based on operating procedures, policies and department functions

S6: Disposition

Documentation of disposal of log data occurs in two ways:

Certificate of Compliance

RC-108

Certificate of Compliance

Certifies that the department will meet the retention and disposition requirements established by the Office of the Public Records Administrator in State Agencies’ Records Retention/Disposition Schedule S6: Information Systems Records.

Allows the agency/department to destroy certain types of records automatically (without an RC-108) so long as the destruction is in accordance with the minimum retention

– Information Systems Backup Recovery Media

– Information Systems Data or Database Dictionary Documentation

– Information Systems Usage Records

– And many others!

Certificate of Compliance

Compliance with the S6: Information System Records Retention Schedule would be unmanageable without the Certificate Completed Annually

Signed certificate must be maintained for 1 year after expiration

Must be submitted by June 30th .

Download your Certificate of Compliance from

http://www.cslib.org/publicrecords/opraforms.htm

RC-108

Without a Certificate of Compliance, the department must complete an RC-108 to dispose of records. Examples include:

– For deleting system logs

– When making modifications to operating procedures

– Before overwriting backups

– Download the RC-108 form from here: http://www.cslib.org/publicrecords/opraforms.htm

S6,Series 10: Administratively Valuable

“Until no longer administratively valuable.”

– It is recommended that each agency documents how long individual usage records are maintained pursuant to defined administrative value.

The same log types on multiple systems may have different values to an organization based on the use or users of a system, application, device, etc.

ISO Retention Schedule

Regulations, laws, and business requirements supersede minimum retention requirements.

Example – A regulation requires system logs to be maintained for 6 months, but the retention schedule only requires 3 weeks. – Maintain the information for 6 months.

Information Security Office examples

Category Schedule

Access Logs 6 Months

System Logs 12 Months

Traffic Logs 3 Months

Incident Logs 4 Months

Splunk

The Information Security Office is managing most series 10 related log retention schedules through Splunk.

Each index has a custom retention schedule, currently:– 1 Week– 1 Month– 3 Months– 4 Months– 6 Months– 12 Months– 18 Months– 6 Years (default, if not otherwise configured)

Data is automatically purged when it reaches the defined expiration

Splunk

Additional custom indexes can be created.

Agent install is fast and virtually effortless for basic log types.

Supports specialized application and database log files.

Log harvesting, parsing and alerting tools.

Robust searching and analysis features.

Role Based Access Control.

In Closing

S6 has been updated, is clearer, more useable

Only logs that are collected apply

Certificate of Compliance or RC-108 required for disposal

‘administratively useful’ needs to be documented

Splunk is available to any department collecting records

Contact the security office for more information.

S6 documentation/tools on security.uconn.edu