SOX §802 (Criminal Penalties for Altering Documents) makes it a federal crime to destroy or alter audit records within the 7-year retention window — and it applies to the company even if deletion was caused by an automated TTL policy that a developer configured without understanding the requirement. GLBA 16 CFR Part 314 (Safeguards Rule) requires covered financial institutions to retain records related to the security program. NIST 800-53 AU-11 requires organizations to retain audit logs for a defined period consistent with their records retention policy. PCI-DSS 4.0 Req-10.7 requires that audit log history is retained for at least 12 months, with at least the most recent three months available for immediate analysis — financial services are typically subject to the more demanding SOX/GLBA 7-year window. A TTL policy set to 3 years deletes legally protected records and creates criminal liability for the company.
High because violating the 7-year SOX/GLBA retention requirement exposes the company and its officers to criminal penalties, SEC enforcement action, and disqualification from financial services operations.
Define an explicit retention policy in infrastructure/retention-policy.yaml or your database migration. Never rely on the absence of a TTL as implicit retention — document it explicitly:
# infrastructure/retention-policy.yaml
audit_logs:
table: transaction_logs
retention_years: 7
min_days: 2555
hot_storage_years: 1 # live DB
warm_storage_years: 3 # read replica / compressed
cold_storage_years: 3 # S3 Glacier, encrypted
deletion_allowed_after_days: 2555
ttl_attribute: null # no auto-delete
For DynamoDB, ensure no TTL attribute is set on the transaction table. For PostgreSQL, use partitioning to move old partitions to cheaper storage without deleting them. S3 Lifecycle rules must be configured with a 30 days to IA → 365 days to Glacier → no Expiration policy on the audit log bucket.
ID: finserv-audit-trail.balance-reconciliation.retention-7yr
Severity: high
What to look for: Count all TTL, lifecycle, or deletion policies that apply to the audit log table. Quote the actual retention duration found in configuration or documentation. Check database retention policies, backup schedules, and archival processes. Verify the retention period is at least 7 calendar years (2,555 days). A retention period under 7 years does not count as pass — do not pass if any TTL-based deletion would purge logs before the 7-year threshold.
Pass criteria: Audit log retention policy is documented and explicitly set to at least 7 years (minimum 2,555 days). At least 1 archival or backup process maintains logs for the full 7-year window. Count all deletion/TTL policies — 0 must delete within the 7-year window. Report the ratio even on pass (e.g., "0 of 2 lifecycle policies delete before 7 years").
Fail criteria: No retention policy found, retention is less than 7 years, or any TTL-based deletion would purge logs before 7 years.
Skip (N/A) when: The application is explicitly not subject to SOX or GLBA regulations (verified by jurisdiction documentation and business model — inferred exemption is not sufficient).
Detail on fail: Specify the current retention policy. Example: "Audit logs are deleted after 3 years per database TTL — 1,095 days vs. required 2,555." or "No retention policy documentation found — 0 policies defined. Logs may be deleted at any time.".
Remediation: Implement explicit 7-year retention (in infrastructure/retention-policy.yaml or db/migrations/):
-- For PostgreSQL: partition by year, archive old partitions
CREATE TABLE transaction_logs_y2024 PARTITION OF transaction_logs
FOR VALUES FROM ('2024-01-01') TO ('2025-01-01');
-- Archive 2017-2023 partitions to cold storage (S3)
-- Keep live partitions for current + 6 prior years
-- Deletion policy: automatic only after 7-year threshold
-- Backup schedule: daily snapshots to S3 with encryption, 7-year retention
Or for DynamoDB:
// No TTL attribute for production transactions
// Archive to S3 after 1 year for cost optimization, keep indefinitely
const transactionSchema = {
transactionId: { type: 'S' },
timestamp: { type: 'S' },
userId: { type: 'S' },
// No "TTL" attribute — logs must not auto-delete
archiveDate: { type: 'S' } // Set when archived to S3
};