Educause Security Discussion mailing list archives

Re: Security Log Retention Policy Suggestions

From: "Powell, Andy" <ap16 () WILLIAMS EDU>
Date: Thu, 16 Jan 2020 15:46:07 -0500

Hi Zepu,

  Great question, with many different answers! The most annoying one is
likely: "retain for as long as you need" but to your point of rearview IR,
how long is that?

  PCI DSS typically expects 90 day minimum. I was just reading Crowdstrike
Services Cyber Front Lines Report (released this week, reflecting on 2019)
where they presented this:
[image: Screen Shot 2020-01-16 at 3.34.29 PM.png]

  I generally like this structure and would support this, assuming it fits
your business needs and regulatory requirements. In the same report, they
indicate average dwell time has increased from 85 days (2018) up to 95
days, so it's unlikely you'd need to go back 1-2 years for IR, but there
may be cases (like insider/fraud) where having longer history might be
helpful.

  --Andy

On Thu, Jan 16, 2020 at 3:25 PM Zepu Chen <zepu.chen () denison edu> wrote:

Good Afternoon,

As we are maturing our current security policy and guidelines here at
Denison, we ran into a discussion of determining the proper retention
policy for all the security logs(i.e. firewall logs, NATing logs, LDAP
logs..). Depends on the general practice, we may want to separate the
security log retention policy from the general data retention policy. What
are you using as a retention guideline for those types of logs? 1 year, 2
years, forever? Have anyone come across a situation that the incident
investigation requires logs from 1 or 2 years ago? Any recommendations and
suggestions are welcome!

Thanks,

[image: Denison University] <https://denison.edu>

*Zepu Chen*
*Systems & Security Administrator*
Information Technology Services

Office: 740-587-5307 <1-740-587-5307>
zepu.chen () denison edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
Andrew F. Powell Jr., CISSP, CCSP (he/him/his)
Information Security Director
Williams College
22 Lab Campus Drive, Williamstown, MA, 01267
O - (413) 597 - 4340
C - (978) 502 - 0086

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Security Log Retention Policy Suggestions Zepu Chen (Jan 16)
- Re: Security Log Retention Policy Suggestions Powell, Andy (Jan 16)