Data Loss Prevention

I have a quick question please regarding the Symantec Data Loss Prevention Data Retention and best practice. I am aware that the Data Retention is various from one company to another, however, I am looking at it from DLP perspective, meaning, how often should I purge the old incidents, what kind of data is important to keep, and for how long?  Again just BEST Practice

Please let me know.
Thanks

Data retention usually isn't DLP specific.  Depending on the storage limitations you have, and the compliance standard you subscribe to, it can be a number of things.  PCI has standards that are different from other standards for data retention.  You might want to consult a company compliance officer to obtain data retention standards for each particular set of standards you are trying to comply with. 

Like Huxtable mentioned, it's really going to depend more on how big you want to let your database get.  Our database is over 2TB now with over 4 million incidents.  What we do is make a status of "trash" that the agents set the status to.  Then, when we get low on space the admins (me) run a report for status "trash" and summarize by month.  Then you can delete however many months back you want to go.  Depending on what version of DLP you are on, you might see better performance if you don't keep data too far back (ie.. lots of incidents) if they are not needed.  It's really up to the what the rules are for your company and the types of data that you need to keep.