Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Log Retention

Published: 2005-03-22
Last Updated: 2005-03-22 23:19:13 UTC
by Robert Danford (Version: 1)
0 comment(s)
Log Retention Best Practices
Its a good idea to develop a log retention policy for your site. This should include what type of information is stored; for how long; online vs offline; and whether the data is confidential. A good starting point would be to store compressed copies of your audit logs (syslog or event logs), firewall logs (network or host), and IDS logs (alert logs at a minimum. full packet trace retention would depend on the needs and requirements of your site) for at least 60 days.

It is also important to have someone knowledgeable of the relevant laws, regulations, and agreements which pertain to your site participate in policy creation and audits.
Examples of
VISA CISP, SOX, GLBA, FFIEC, Basel II, HIPAA. NISPROM, NERC, Italian Personal Data Protection Code Legislative Decree no. 196 of 30

The Basel II Accord - Affects international banks. Effective 2006. Activity logs should be retained 3-7 years

Federal Financial Institutions Examination Council (FFIEC) - Affects financial institutions governed by the Federal Reserve, FDIC, etc. Specifies historical retention.

Gramm-Leach-Bliley Act (GLBA) - Affects entities that participate in financial institution activities.

The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.

North American Electric Reliability Council (NERC) - Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.

National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.

The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.

VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.
Keywords:
0 comment(s)
Diary Archives