When determining how long to retain a penetration test report, which consideration aligns BEST with industry best practices regarding data retention policies?
Retention should be based on the personal preference of the penetration tester.
Reports should be kept for a 'safe' short-term duration of 30 days, then discarded.
Reports should be kept for as long as specified by the organization's data retention policy.
Reports should be kept indefinitely for historical comparison.
Industry best practices dictate that sensitive documents, like penetration test reports, should be maintained for a period in line with the organization's data retention policy. This ensures compliance with legal and regulatory requirements as well as the ability to reference past tests. Keeping reports indefinitely may pose a security risk if the reports were to be accessed by unauthorized parties. There is no universally 'safe' short-term duration without context, as this practice would not necessarily comply with the necessary retention policies. Retaining reports just for the duration of a tester's preference is not aligned with best practices as it's subjective and does not consider regulatory or organizational requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are data retention policies?
Open an interactive chat with Bash
What are the risks associated with keeping pentest reports indefinitely?