We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

Ask an Auditor Office Hours #3

Welcome back to our weekly Ask an Auditor!

Each Wed from 1-2pm PT, someone from either the Security Labs or Customer Success teams will be on deck for one hour to answer any and all Qs you may have.

This week we have @Harpreet, a member of our Tugboat Labs team and a former auditor and cybersecurity expert at PwC.

Here's how to participate:

  1. Submit your Qs in this discussion thread, and go about your day! Or, you can stay on during the hour (1-2pm PT) and submit as many Qs as you'd like.
  2. Harpreet will write out an answer to you as soon as she can, and tag you in her answer.
  3. Submit your Qs even when office hours are over - Harpreet and or someone from CS/Labs will answer your Q in 1 business.

We look forward to hearing from you and hope we can help you out!



  • Hey @Harpreet, I actually have a question myself this week!

    A lot of our recent and upcoming Control of the Week pieces have dealt with logging and documentation. I was just curious what your recommendations are concerning record keeping and evidence collection are in general. There are tools like Tugboat Logic's platform that can help manage and organize those elements, but what should you do about historical records, back-ups and internal recording?

    I think that information would be really useful supplementary info to our CoW blogs. Thanks!

  • harpreet_shergill
    harpreet_shergill Tugboat Employee Tugboat Team

    That's a great question @Cheryl.

    It depends on number of factors but to summarize, a company should define in their formal data retention procedures about retention periods of each types of data/record type including historical records, back-ups and internal recordings and how to manage/dispose off the data once retention period is over.

    Retention and disposal requirements may be driven by legislation, regulation, policy, best practice, or agreement with a third party (such as another level of government). As an example, any data having customer information must be retained in accordance with the contractual agreement between the Customer and the Company. All records and documents containing any business sensitive information must be purged upon reaching its’ retention life span.

    Looking forward to do some CoW blogs on this topic!