SI 12 INFORMATION MANAGEMENT AND RETENTION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

SI-12 INFORMATION MANAGEMENT AND RETENTION

Control: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Discussion: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

Related Controls: All XX-1 Controls, AC-16, AU-5, AU-11, CA-2, CA-3, CA-5, CA-6, CA-7, CA-9, CM- 5, CM-9, CP-2, IR-8, MP-2, MP-3, MP-4, MP-6, PL-2, PL-4, PM-4, PM-8, PM-9, PS-2, PS-6, PT-2, PT- 3, RA-2, RA-3, SA-5, SA-8, SR-2.

Control Enhancements:

  • (1) INFORMATION MANAGEMENT AND RETENTION / LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS
    Limit personally identifiable information being processed in the information life cycle to the following elements of PII: [ Assignment: organization-defined elements of personally identifiable information ].

    Discussion: Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.

    Related Controls: PM-25 , PT-2 , PT-3 , RA-3.

  • (2) INFORMATION MANAGEMENT AND RETENTION / MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION IN TESTING, TRAINING, AND RESEARCH
    Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [ Assignment: organization-defined techniques ].

    Discussion: Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.

    Related Controls: PM-22 , PM-25 , SI-19.

  • (3) INFORMATION MANAGEMENT AND RETENTION / INFORMATION DISPOSAL
    Use the following techniques to dispose of, destroy, or erase information following the retention period: [ Assignment: organization-defined techniques ].

    Discussion: Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

    Related Controls: MP-6.

References: [USC 2901], [OMB A-130, Appendix II].

⚠️ **GitHub.com Fallback** ⚠️