Educause Security Discussion mailing list archives
Re: Security Log Retention Policy Suggestions
From: "Powell, Andy" <ap16 () WILLIAMS EDU>
Date: Thu, 16 Jan 2020 15:46:07 -0500
Hi Zepu, Great question, with many different answers! The most annoying one is likely: "retain for as long as you need" but to your point of rearview IR, how long is that? PCI DSS typically expects 90 day minimum. I was just reading Crowdstrike Services Cyber Front Lines Report (released this week, reflecting on 2019) where they presented this: [image: Screen Shot 2020-01-16 at 3.34.29 PM.png] I generally like this structure and would support this, assuming it fits your business needs and regulatory requirements. In the same report, they indicate average dwell time has increased from 85 days (2018) up to 95 days, so it's unlikely you'd need to go back 1-2 years for IR, but there may be cases (like insider/fraud) where having longer history might be helpful. --Andy On Thu, Jan 16, 2020 at 3:25 PM Zepu Chen <zepu.chen () denison edu> wrote:
Good Afternoon, As we are maturing our current security policy and guidelines here at Denison, we ran into a discussion of determining the proper retention policy for all the security logs(i.e. firewall logs, NATing logs, LDAP logs..). Depends on the general practice, we may want to separate the security log retention policy from the general data retention policy. What are you using as a retention guideline for those types of logs? 1 year, 2 years, forever? Have anyone come across a situation that the incident investigation requires logs from 1 or 2 years ago? Any recommendations and suggestions are welcome! Thanks, [image: Denison University] <https://denison.edu> *Zepu Chen* *Systems & Security Administrator* Information Technology Services Office: 740-587-5307 <1-740-587-5307> zepu.chen () denison edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Andrew F. Powell Jr., CISSP, CCSP (he/him/his) Information Security Director Williams College 22 Lab Campus Drive, Williamstown, MA, 01267 O - (413) 597 - 4340 C - (978) 502 - 0086 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Security Log Retention Policy Suggestions Zepu Chen (Jan 16)
- Re: Security Log Retention Policy Suggestions Powell, Andy (Jan 16)