SI-12 / SI-14 / A.8.11 / CIS-3.3 NIST SP 800-53 Rev 5

Retention policy + scheduled deletion

Demonstrate that documented retention policies are consistently enforced through automated deletion mechanisms and that data is removed at the end of its defined lifecycle.

Description

What this control does

This control ensures that data is retained only for the period necessary to meet business, legal, and regulatory requirements, and is automatically deleted thereafter. Organizations define retention periods by data classification, implement scheduled deletion processes (e.g., cron jobs, cloud lifecycle policies, automated scripts), and maintain evidence of deletion execution. This prevents accumulation of unnecessary data that increases breach exposure, storage costs, and compliance risk.

Control objective

What auditing this proves

Demonstrate that documented retention policies are consistently enforced through automated deletion mechanisms and that data is removed at the end of its defined lifecycle.

Associated risks

Risks this control addresses

Unauthorized access to or exfiltration of obsolete sensitive data retained beyond its required lifecycle
Non-compliance with data minimization requirements under GDPR, CCPA, or sector-specific regulations leading to regulatory penalties
Increased legal discovery costs and exposure during litigation due to excessive data retention
Storage capacity exhaustion and increased infrastructure costs from unbounded data accumulation
Inability to honor data subject deletion requests (right to be forgotten) within required timeframes
Stale or obsolete data being inadvertently used in business decisions or analytics, causing operational errors
Elevated attack surface from accumulated backup copies, snapshots, and archived data not subject to deletion

Testing procedure

How an auditor verifies this control

Obtain and review the organization's formal data retention policy document, noting defined retention periods for each data classification or category.
Identify all data repositories, databases, storage systems, backup platforms, and cloud storage services in scope for retention enforcement.
Review configuration exports or infrastructure-as-code definitions for automated deletion mechanisms (e.g., S3 lifecycle policies, Azure blob retention rules, database purge jobs).
Select a representative sample of data categories and trace their deletion schedules from policy through technical implementation to verify alignment.
Examine logs or audit trails from the past 90 days showing execution of scheduled deletion jobs, including timestamps, record counts, and success/failure status.
Interview data custodians or system administrators to confirm oversight processes, exception handling, and manual deletion procedures for systems lacking automation.
Test one or more deletion mechanisms by identifying data approaching its retention expiration and verifying it is queued or flagged for removal according to schedule.
Review exception or legal hold processes to confirm retention extensions are formally documented, approved, and tracked separately from standard schedules.

Evidence required Collect the data retention policy document with defined schedules by classification; configuration exports or screenshots of automated deletion rules (cloud lifecycle policies, cron job definitions, database purge scripts); execution logs or monitoring dashboards showing scheduled deletion activity over the past quarter; change management records for retention policy updates; and documented exceptions or legal holds with approval evidence.

Pass criteria All data categories have documented retention periods, automated deletion mechanisms are configured and actively executing per policy schedules, and logs confirm successful deletion activity within the defined timeframes for sampled data types.

Where this control is tested

Audit programs including this control

PII Data Discovery

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.