Robert,

In my opinion, this is an area where it really does depend on what you
are doing, to what extent, and why.  The retention could range from
"until the next scan" to "retain 10 years beyond the completion of the
corrective action or resolution to the legal action".  I am currently
working with our IT and cyber security staff as they develop their
policies related to firewall and network scanning, and please understand
that within this arena, "scanning" is as generic of a term as "record".

Questions to ask the staff doing the scanning:

1. Why are you scanning (what are the drivers or requirements)?
2. Are you using a commercial product to perform the scans?
3. What specifically are you scanning for?
4. Are you scanning for different vulnerabilities?
5. Do the vulnerabilities change?
6. Are you scanning firewall traffic inbound, outbound or both?
7. How detailed are the scanning results?
8. What actions are being taken as a result of the scans?

This is just a starting point for questions to begin to really
understand the purpose of scans.  As for another resource, although
someone else mentioned General Records Schedule 20, you might also want
to take a look at GRS 24 which is IT Operations Records.  This schedule
describes the retention of records to support corrective actions, etc.
Remember though, this applies only to US federal records.  You can
access GRS 24 here:
http://www.archives.gov/records-mgmt/ardor/grs24.html


Hope this helps,

Lee Michael, CRM
Records Program Manager
National Renewable Energy Laboratory
Golden, CO

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance