While I don't necessarily disagree with the prior comments about the value of these records in a typical business setting, some of us are bound by government regulation.

NARA's General Records Schedule 24. Information Technology Operations and Management has a citation GRS 24.6 as follows:

6.  User Identification, Profiles, Authorizations, and Password Files, EXCLUDING records relating to electronic signatures.

a.  Systems requiring special accountability, e.g., those containing information that may be needed for audit or investigative purposes and those that contain classified records.

Destroy/delete inactive file 6 years after user account is terminated or password is altered, or when no longer needed for investigative or security purposes, whichever is later.

b.  Routine systems, i.e., those not covered by item 6a.

See GRS 20, item 1c.

GRS 20.1c basically says you can destroy when you no longer need them.

So if you are handling classified records for a federal agency that uses the General Records Schedules, you have to keep the passwords 6 years after they are changed or when the account is terminated.

Lisa Hawkins
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]