IBM Cloud Docs
SI-12 - Information Management and Retention

SI-12 - Information Management and Retention

Control requirements

SI-12 - 0

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Additional IBM Cloud for Financial Services specifications

The organization shall adhere to data retention and destruction parameters defined by the customer.
Destruction of customer records must be approved by the customer prior to destruction.

Destruction of customer data must occur within 30 days of customer authorization.

The organization will inform the customer upon completion of requested/approved modification/disposal of customer data.

The organization will ensure that metadata for records owned by FS-ready public cloud customer but maintained by the organization will meet customer granularity requirements. These requirements can be requested from the customer assigned Vendor Manager to the organization/IBM.

Rules of behavior must include data handling requirements according to customer’s security classification, including but not limited to:

  • Clear desk policy to safeguard sensitive information
  • Customer data may not be stored on laptops or mobile devices
  • When users stop work and move away from the immediate vicinity of the system, screen locks must be used to conceal information previously visible on the display with a publicly viewable image
  • Credentials must not be shared and must be rotated and stored in accordance with authentication and encryption policies
  • Collaboration spaces must be secured and data only shared with authorized individuals granted permissions to access the data.

NIST supplemental guidance

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.