This message was posted by a user wishing to remain anonymous
The product we're receiving from the vendor doesn't interface with our network and there is no data transfer. The vendor won't have any of our data, this is more on the vendor level, not the product level.
Original Message:
Sent: 04-11-2024 09:25 AM
From: Anonymous Member
Subject: Mitigating controls for lack of data retention/classification/destruction policy
This message was posted by a user wishing to remain anonymous
Before looking at mitigation, you need to some additional digging.
- Do they know where your data is?
- How is being secured?
- Can they provide any details about the age of the data?
- Does their agreement require them to meet any retention, classification or destruction levels?
I would look at your standards and see if you can amend their agreement to meet them. You can always tell them your requirements and ask them to follow them.
Original Message:
Sent: 04-10-2024 12:38 PM
From: Anonymous Member
Subject: Mitigating controls for lack of data retention/classification/destruction policy
This message was posted by a user wishing to remain anonymous
During my due diligence on a low risk vendor, I was informed that they do not have a data retention/destruction/classification policy. What are the potential risks and how can I best mitigate those risks? I was thinking that they would have data scattered all throughout their systems that has been there since the beginning without knowing if it's confidential or not so there's no data management of any kind.
Any input is appreciated,
Thanks.