ISO/FDIS 18759

DRAFT INTERNATIONAL STANDARD
ISO/DIS 18759
ISO/TC 171/SC 2 Secretariat: ANSI
Voting begins on: Voting terminates on:
2018-09-25 2018-12-18
Document management — Trusted Storage Sub-System
(TSS) functional and technical requirements
Gestion des documents — Exigences fonctionnelles et techniques du sous-système de stockage fiable (TSS)
ICS: 37.080
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/DIS 18759:2018(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO 2018

ISO/DIS 18759:2018(E)
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

ISO/DIS 18759:2018(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Retention requirements for trusted storage environments . 2
4.1 Overview . 2
4.2 Electronically Stored Information (ESI) . 2
4.3 Retained ESI . 2
4.4 Legal Hold of retained ESI . 3
4.5 Enforcement of litigation holds . 3
4.6 Retained ESI retention management . 3
4.7 ESI retention management states . 4
4.7.1 Overview . 4
4.7.2 ESI permanent retention state . 4
4.7.3 ESI fixed retention state. 4
4.7.4 ESI hybrid retention state (Minimum retention and overall retention) . 5
4.8 TSS retention enforcement . 6
4.9 TSS retention policies . 7
4.9.1 Overview . 7
4.9.2 TSS-defined retention policy . 7
4.9.3 Application-defined retention policy . 7
4.9.4 Application-defined retention policy class . 8
5 TSS operational states. 9
5.1 Overview . 9
5.2 Autonomous storage state . 9
5.3 WORM Storage State .10
5.4 Integrated state .10
5.5 Application State .10
6 General Trusted Storage Sub-System requirements .11
6.1 Storage security .11
6.2 ESI encryption .11
6.3 Secure delete and erasure .12
6.4 Redundancy .12
6.5 Retained ESI integrity checks by one or more cryptographic hash values or checksum.12
6.6 Application and ESI security .12
6.7 Storage migration and upgrades .12
6.8 Auditability .13
6.8.1 Overview .13
6.8.2 Trusted Storage Sub-System audit capabilities .13
6.8.3 Trusted Storage Sub-System audit trail .13
7 Technical methods for trusted storage environments .13
7.1 Overview .13
7.2 Trusted Storage Sub-System operational policies .14
7.3 Security .14
7.3.1 Management and organization of security .14
7.3.2 Risk assessment . .14
7.3.3 Physical security .14
7.3.4 Hardware security .14
7.3.5 Security of custom software and software products .15
7.3.6 Maintenance of the TSS .15
7.3.7 System change-management and migration of media .15
ISO/DIS 18759:2018(E)
7.3.8 Security backups .15
7.3.9 Business Continuity Plan to demonstrate of access to stored ESI .15
7.3.10 Date and time stamping .15
7.4 Audit trail .15
7.4.1 General.15
7.4.2 Secure preservation of the audit trail .15
7.4.3 TSS lifecycle log .16
7.4.4 Events log .16
7.5 Hash values or Checksums .16
7.6 Ransomware protection .16
7.7 Error correction .16
7.8 Monitoring, notifications and alerts .16
7.9 Encryption .17
7.10 Permissions .17
7.11 Integrity of storage devices and media .17
8 Compliance requirements and mitigating technical methods .18
8.1 Migration of information between media .18
8.2 Technical obsolescence .18
8.3 Discovery requests .18
8.4 “Right to be forgotten” .18
8.5 ESI degradation .19
8.6 Malicious actions by employees or outside parties.19
8.7 ESI store errors .19
8.8 Storage System hardware controls .20
8.9 Accidental or premature deletion of ESI .20
iv © ISO 2018 – All rights reserved

ISO/DIS 18759:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 171, Document management applications,
Subcommittee SC 2, Document file formats, EDMS systems and authenticity of information.
ISO/DIS 18759:2018(E)
Introduction
Organizations storing digital content or ESI (Electronically Stored Information) need guidance on
how to select design, implement and manage information and content management systems in such a
way as to guarantee the reliability, authenticity, and integrity of the ESI contained within the system
throughout its entire lifecycle. In addition to the business or organization’s internal requirements to
demonstrate the trustworthiness of its ESI, there are also externally mandated legal and regulatory
trustworthiness requirements in the form of statutes, regulations and admissibility standards.
Both the ISO/TC 171, Document Management Applications and ISO/TC 46/SC11 Archives and Records
Management committees have been working on the development of standards and best practices
associated with developing and implementing a “Trusted Storage Sub-System” (TSS). The primary
motive of this work is to provide clear, concise, vendor neutral requirements for information and
content management systems responsible for retaining and delivering reliable and legally admissible
ESI. As defined by ISO 15801, a trusted system is “information technology system with the capability of
managing ESI in a trustworthy manner.”
This document addresses the requirements for storage systems with regards to non-alterability,
security, and verification, as are expressed in authoritative documents such as ISO 15801, ISO 22957,
and ISO 18829. Historically, the concept of unalterable storage was referred to as WORM Write-Once
Read Many and was primarily focused on the physical characteristics of the storage media. The intent
of this document is to focus on preserving the integrity of the ESI independent of the actual underlying
storage technology or its physical characteristics.
The title of this document, “Trusted Storage Sub-System (TSS) Functional and Technical Requirements,”
is meant to reflect the objective of the standard, which is to provide comprehensive details on the
characteristics of trustworthy ESI storage solutions. It is meant to define the functional and technical
requirements for any storage solution regardless of the actual nature of solution. The solutions
implementing this document may rely on specific hardware and/or software features. It is not meant to
suggest what constitutes a compliant storage device but rather focuses on the functional requirement
and capabilities that in themselves are sufficient for a system to be designated a Trusted Storage Sub-
System (TSS).
At a minimum, a TSS stores ESI in a tamper-proof configuration that is redundant and shall maintain
multiple copies of the ESI in an unalterable secure format that prevents unauthorized deletions and that
are ideally maintained in different physical locations. In particular, the Trusted Storage Sub-System
meets the following criteria:
— Maintains at least two copies of the ESI in a minimum of two independent tamper-proof repositories
that do not share any physical, virtual or hybrid infrastructure regardless of whether the TSS is on-
premise or cloud and ideally is maintained in separate physical locations. For example:
— Two storage arrays in the same server or storage chassis would not be compliant with this
document
— Two storage arrays in two separate servers or storage chassis along with the other TSS properties
defined in this document would be a TSS. If those two independent systems are geographically
separated, it provides greater redundancy.
— Supports storage of the ESI in an immutable form, demonstrates and monitors its integrity.
— Demonstrates that the ESI is retained until a policy-defined deletion point.
— Enforces that all policies are managed exclusively through the Trusted Storage Sub-System
Management Interface (TSSMI) and are logged by the TSS.
— Maintains archive audit logs for ESI creation, retention and disposition, including litigation hold or
changes to retention periods.
vi © ISO 2018 – All rights reserved

ISO/DIS 18759:2018(E)
— Maintains security audit logs for attempts to tamper or compromise ESI integrity or the security of
the TSS.
— Enables the logging of ESI read, write, and modify operations, though auditing access operations
may become a burden to maintain and store.
— Monitors the underlying storage technology or infrastructure to provide alerts and notifications
that would enable authorized personnel to take appropriate action including replacing components
or migrating to alternate storage technologies.
Changes in the legal and technological landscape, the evolution and possible obsolescence of storage
technologies should be taken into consideration and constantly monitored. We shall take into
consideration that over the lifetime of the data the underlying storage has evolved in certain instances
such technologies have literally become extinct. Some hardware manufacturers have gone out of
business, shutdown divisions, or discontinued offering citing various reasons from lack of adoption to
other business reasons.
The primary focus has always been the viability and reliability of the data and that is dependent on
the fundamental need to keep it accessible, verifiable, valid and authentic, taking into consideration
that over time the physical storage may have to change without impacting the trustworthiness of the
data itself. This document is motivated by the evolution of storage technologies. The de facto paradigm
for trusted storage has been writable but non-rewritable optical media, which are “write-once” by
virtue of the nature of the media and the method of writing to them. However, new non-optical storage
systems have evolved that accomplish “write-once” objectives through a combination of hardware and
software controls. Understanding what specific functionality is required of these systems to meet TSS
requirements is the primary motivation for this document.
The ISO 15801 definition of a trusted system contains two elements. The first element is the requirement
that any ESI retrieved from the system can be proven to be authentic and having integrity (complete and
unaltered). The second element is that during the lifecycle of the system itself, it can be demonstrated
that the TSS demonstrates authenticity, integrity, usability and confidentiality of all the ESI it contains
during the ESI’s lifecycle. These two elements of the definition of a trusted system correspond to the
admissibility of ESI as evidence into legal proceedings, and the obligations of both public and private
organizations to maintain reliable and accurate electronic documents for purposes of accountability
and transparency. This document for trusted storage environments addresses both these criteria and
shall therefore provide guidance to organizations seeking to meet their own internal requirements and
in addition, also meet diverse legal requirements and mandates relative to the production, preservation,
security and management of their electronic documents.
The ISO 14641 provides a reference framework for organizations implementing secure information
systems and identifies characteristics such as optimization of long-term electronic document
preservation, archiving and integrity and more importantly in principle do not conflict with the
objectives of this document. This document extends the specifications “intended to demonstrate that
all documents to be managed by the information system are captured, stored, retrieved and accessed
in a way that guarantees that the archived document is an authentic rendition of the original document
for the duration of preservation” [SOURCE ISO 14641] combined with the trustworthiness provisions
of the Trusted Storage Sub-System in this document. For the purposes of this document, “an authentic
rendition means that the rendered document corresponds to the source document as it was at the time
of input in the information system in respect of criteria of fidelity and integrity, and that this state is
maintained for the duration of preservation” [SOURCE ISO 14641].
The primary difference in the scope of this document versus the definitions identified in the ISO 14641
is this document focuses on the functional requirement of what constitutes a Trusted Storage Sub-
System rather than the focus on the physical characteristics of the archival media (physical WORM,
logical WORM and rewritable media) as defined in ISO 14641. It should be noted that requirements
for archival integrity of the electronically stored information on a Trusted Storage Sub-System do
not conflict with those identified in ISO 14641 including the use of “encryption-like techniques, in
particular with checksum calculation or hash function, date and time stamp or digital signature”
[SOURCE ISO 14641]. Where possible this document will leverage the applicable definitions identified
ISO/DIS 18759:2018(E)
in the ISO 14641 as well as other referenced standards to establish a common more comprehensive
framework for a Trusted Storage Sub-System.
Organizations that are implementing a TSS should have a defined process to review and analyse their
ESI before simply committing it to a TSS. Consult a professional or use an analysis tool that may assist
you in identifying the operational state and the appropriate retention policies. Not all ESI is equal and
the guidelines for protecting, preserving and destroying various types of ESI vary. In this document, we
are defining the various functional requirements; bearing in mind that the underlying implementations
and technologies may differ between various solutions; that should be available to deploy and use a TSS.
The nature of the ESI stored in a TSS whether it is unstructured or structured ESI is irrelevant to the
fundamental functional control defined within the TSS. The requirements identified herein will focus
on the features and capabilities of the TSS that would support compliance with security, preservation
and retention requirements independent of the source of the ESI or the applications used to access the
information.
Recognizing that storage technologies will continue to mature and morph over time, this document
is based on the concept that the overall TSS does not rely on specific storage technologies or media.
Rather, this document specifies functional requirements for storage technologies/media allowing
organizations to maintain their information in a secure fashion.
This environment shall operate regardless of the underlying storage technology, whether optical,
magnetic, solid state storage technologies, or whatever else. This document is based on the concept
that access to the ESI stored in a TSS is secured from any external access and once configured can only
be accessed via the TSS audited interface. This document will also identify reporting requirements for
these storage systems that shall manage access control and provide information on other aspects of
TSS integration related requirements.
viii © ISO 2018 – All rights reserved

DRAFT INTERNATIONAL STANDARD ISO/DIS 18759:2018(E)
Document management — Trusted Storage Sub-System
(TSS) functional and technical requirements
1 Scope
This document specifies the functional and technical requirements associated with storage systems
storing and managing organizational documents, in a protected and secured fashion, during the lifecycle
of the information. This document does not specify specific storage media types or configurations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 13008, Information and documentation — Digital records conversion and migration process
ISO 14641:2018, Electronic document management — Design and operation of an information system for
the preservation of electronic documents — Specifications
ISO 15489-1:2016, Information and documentation — Records management — Part 1: Concepts and
principles
ISO/TR 15801:2017, Document management — Electronically stored information — Recommendations for
trustworthiness and reliability
ISO 17068:2017, Information and documentation — Trusted third party repository for digital records
ISO/TR 17797:2014, Electronic archiving — Selection of digital storage media for long term preservation
ISO 18829:2017, Document management — Assessing ECM/EDRM implementations — Trustworthiness
ISO/TR 22957, Document management—Analysis, selection and implementation of electronic document
management systems (EDMS)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 12651-1, ISO 14641, ISO 15489
and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
Trusted Storage Sub-System (TSS)
a Trusted Storage Sub-System (TSS) demonstrates storage of Electronic Stored Information (ESI), in
compliance with the functional and technical requirements of this document
Note 1 to entry: A TSS meets the requirement of a trusted system to store two copies of the ESI written in an
unalterable format to two separate TSS storage repository locations, each providing the write-once controls
independent of the physical characteristics of the physical storage media used. A TSS is one that provides write
once functionality by the internal controls within the system and not strictly only the nature of its media.
ISO/DIS 18759:2018(E)
3.2
Trusted Storage Sub-System Management Interface (TSSMI)
a Trusted Storage Sub-System management interface is the only mechanism that can manage and
administer the security and retention policies of a TSS.
3.3
WORM state
describes a writable functional state of ESI stored in a TSS whose contents and properties (name, size)
can never be modified or altered for its during its lifecycle as defined by the retention schedule.
Note 1 to entry: This immutable write protection affords the assurance that the data contained within the
document cannot be tampered with once it is in this WORM state for the entire remainder of the ESI lifecycle.
3.4
trusted ESI (tESI)
ESI stored on a TSS which is in a WORM state and whose contents and properties (name, size) can never
be modified or altered for its entire existence.
Note 1 to entry: to entry: Alternatively, we can reference immutable ESI (iESI)
3.5
retained ESI (rESI)
an immutable ESI stored on a TSS which may at some point in the future become eligible for disposition
based on an assigned minimum retention period.
4 Retention requirements for trusted storage environments
4.1 Overview
To demonstrate ESI integrity and protect the chain of custody of the trusted ESI -- shall prevent
additions, modifications and deletions of stored ESI as well as track all accesses. This is not possible by
simply writing to a standard storage system. Instead, it requires a storage system that can accept and
enforce the retention rules, disposition policies and security policies assigned to stored ESI maintained
within the internal controls of the TSS.
4.2 Electronically Stored Information (ESI)
In the context of this document, we refer to the general concept of ESI to represent an ESI object that
is a self-contained container of ESI that represents a digital form of information which can be created,
authored, accessed, read, modified, processed or edited. Under various circumstances:
(i) ESI stored on a TSS may remain modifiable for its entire existence and only possible restrictions
that would apply would be related to security privileges and restrictions enforced by the TSS.
(ii) Once ESI stored on a TSS is finalized, it will be considered as Trusted ESI and is no longer modifiable
for its entire existence and is eligible to become a Retained ESI once a retention is assigned.
4.3 Retained ESI
A retained ESI is protected ESI that has met certain criterion to become an immutable ESI, which is
designated as no longer modifiable for its entire retained life span and may be assigned an explicit
minimum retention period upon which the disposition and destruction is allowed once the minimum
retention period has lapsed and expired. In other words, retained ESI contents and properties including
name can no longer be modified for the duration of the defined retention period. Once an immutable
ESI is retained, the only possible actions are to extend or assign an expiry period, apply a legal hold or
delete it once the retention period has expired.
All retained ESI stored on a TSS shall remain unmodifiable for the entire duration of their existence on
the TSS and the only possible modification would be to delete them once they are eligible for disposition.
2 © ISO 2018 – All rights reserved

ISO/DIS 18759:2018(E)
From the TSS perspective, a defined retention expiry assigned to any retained ESI may be extended
but never reduced. Optionally, the TSS can provide the capability to assign a maximum accessibility
period for retained ESI after which the contents of the retained ESI would become inaccessible and
unreadable unless such assignment is extended. The provisions and limitations of assigning a maximum
accessibility period are reflected in the ESI Retention Management (4.7).
4.4 Legal Hold of retained ESI
Applying a legal hold to retained ESI prohibits the retention expiry
(i) The legal hold status of retained ESI whether set or cleared shall:
a. Not change the retention expiry date and time.
b. Allow the retention expiry date and time to be assigned or extended.
(ii) Setting the legal hold on retained ESI, applies the following restriction that shall:
a) Suspend the expiration until such a hold is removed
b) Prevent the deletion and disposition of the retained ESI
(iii) Clearing the legal hold on retained ESI, removes the legal hold restrictions
4.5 Enforcement of litigation holds
Enforcement of litigation holds is typically addressed at the application level and is part of the overall
solution.
(i) If the application solution does not have this capability, then alternative capabilities may exist as
part of the TSS itself.
(ii) The TSS shall enforce the litigation holds on retained ESI by authorized personnel using an
authorized/validated interface or application.
4.6 Retained ESI retention management
a. Retained ESI can never be modified or altered. No changes to contents and properties (name, size)
b. Retained ESI does not have to have an explicitly defined expiration or duration.
c. The only allowable changes to the retention of retained ESI are:
(i) Assign a retention expiry date if not yet defined.
(ii) Extend the retention expiry date and time.
d. Retained ESI legal hold shall follow the legal hold guidelines as defined in (4.4).
e. Optionally, delete / destroy the retained ESI once the retention has expired provided the retained
ESI is not under legal hold. Retained ESI with undefined expiry cannot be deleted until an expiry
date has been assigned.
f. Optionally, assign a maximum accessibility period for the retained ESI after which the retained ESI
contents are no longer accessible. The maximum accessibility period of a retained ESI, stored on
a TSS, can be modified increased or decreased if the assigned value is not less than the assigned
retention expiry for the retained ESI.
ISO/DIS 18759:2018(E)
4.7 ESI retention management states
4.7.1 Overview
The ESI retention state defines the functional retention status of the ESI and imposes restrictions and
limitations to safeguard the integrity and authenticity of the retained ESI. These are the ESI retention
states that shall be enforced by the Trusted Storage Sub-System on an individual retained ESI basis.
Regardless of the assigned retention state the contents, size, properties, attributes and checksums of
a retained ESI can never be modified or altered with the only possible allowable action to delete or
destroy it; provided that its retention period had lapsed and there are no legal hold restrictions. At a
minimum a Trusted Storage Sub-System shall support the functional capabilities of at least one of these
retention management states to qualify as compliant with this document. A TSS may support any one
or all of these retention states.
NOTE Additionally, specific TSS solutions have different names or different methods to accomplish these
retention states. For the purposes of this document, these retention state definitions define the key functionality
supporting an organization’s different types of ESI with differing types of retention needs.
The TSS shall be managed by a trusted application. The records management application regardless of
its location, and, whether it directly or indirectly controls the TSS, should be compliant with ISO 15489,
supporting triggers and event management.
4.7.2 ESI permanent retention state
With this retention status, the retained ESI shall be retained forever and shall never expire.
Permanently retained ESI shall adhere to the following:
(i) Retained ESI can never be modified or altered. No changes to contents and properties (name, size).
(ii) Retained ESI can never expire.
(iii) Retained ESI can never be deleted or destroyed.
(iv) Setting or clearing Legal Hold on permanently retained ESI has no impact on retained ESI.
(v) Assigning a retention period for the retained ESI shall have no impact on the accessibility of the
retained ESI with permanent retention.
(vi) The TSS shall provide a mechanism to refresh the underlying infrastructure including any storage
technology and still maintain this retained ESI’s immutability and retention.
4.7.3 ESI fixed retention state
With this retention state, the retained ESI shall be retained for an explicit period after which it may
become eligible for deletion and disposition. Retained ESI with fixed retention shall adhere to the
following:
(i) Retained ESI with fixed retention can never be modified or altered. No changes to contents and
properties (name, size).
(ii) Retained ESI with fixed retention shall be assigned an explicit retention expiry date and time.
(iii) The retention period of retained ESI with fixed retention can be only extended and cannot be
reduced.
(iv) Retained ESI with fixed retention can only expire once the assigned retention period has lapsed.
(v) Retained ESI with fixed retention can be deleted or destroyed only if the retention period has
expired and the retained ESI is not under legal hold.
4 © ISO 2018 – All rights reserved

ISO/DIS 18759:2018(E)
(vi) Retained ESI with fixed retention whose retention period has lapsed and expired does not have to
be deleted or transferred.
(vii) Changing the legal hold status of retained ESI with fixed retention shall follow the legal hold
guidelines as defined in (4.4).
(viii) Assigning a maximum accessibility period for the retained ESI with a fixed retention shall
prohibit access to the contents of the accessibility of the retained ESI with fixed retention once
the maximum accessibility period has lapsed or expired. The maximum accessibility period for the
retained ESI cannot be less than the fixed retention period of the retained ESI. The assignment
of a maximum accessibility period shall not impact the eligibility for the retained ESI with fixed
retention to be deleted once the retention period has expired.
(ix) The TSS shall provide a mechanism to refresh the underlying infrastructure including any storage
technology and still maintain this retained ESI’s immutability and fixed retention.
ESI undefined retention state
With this retention assignment, retained ESI shall never expire until the proper retention is established.
In other words, the retention state of an undefined retention state retained ESI shall change to either
permanent retention state which shall never expire or fixed retention state to allow it to expire. ESI
with undefined retention shall adhere to the following:
(i) Retained ESI with undefined retention can never be modified or altered. No changes to contents
and properties (name, size).
(ii) Retained ESI with undefined retention can never expire.
(iii) Retained ESI with undefined retention can never have an expiry date and time in this state.
(iv) Retained ESI with undefined retention can never be deleted or destroyed.
(v) Assigning a retention expiry date and time of retained ESI with undefined retention changes the
retention state to either permanent retention state or fixed retention state. Once an expiry date
and time is assigned then the retention state changes and the restrictions of the newly assigned
state apply. If the retained ESI has an assigned maximum accessibility period, then it shall be either
adjusted to align with the assigned retention state of the retained ESI or the retention expiry date
and time of the retained ESI cannot exceed the assigned maximum accessibility period.
(vi) Changing the legal hold status of retained ESI with undefined retention expiry shall follow the legal
hold guidelines as defined in (4.4).
(vii) Assigning a maximum accessibility period for the retained ESI with undefined retention shall
prohibit access to the contents of the accessibility of the retained ESI once the maximum
accessibility period has lapsed or expired. In the event, the retention expiry is assigned to retained
ESI with undefined retention then the maximum accessibility period for the retained ESI shall be
either adjusted to align with the assigned retention state of the retained ESI or the retention expiry
date and time of the retained ESI.
(viii) The TSS shall provide a mechanism to refresh the underlying infrastructure including any
storage technology and still maintain this retained ESI’s immutability and undefi
...