Iowa Board of Regents IT Security and Network Log Retention Guidelines

Purpose

A disparity exists between business records and technology-based event or activity records, often collectively referred as "logs". There are well-defined schedules for retention of business records, for many purposes. Audit requirements for financial and tax records, business requirements for continuity of operations, legal requirements for contracts and intellectual property, and so on, are typically well understood. The form of a business record is usually irrelevant; retaining the content or matter is the key.

In the case of technology-based event or activity records, schedules for retention often do not exist. For log records, it's important to consider technological, regulatory, cost/benefit, legal, risk, and privacy aspects of this information, and make an informed decision of how long records need to be kept.

Scope

This guideline was developed for, and is intended to be used by, the State of Iowa Board of Regents public universities and special schools: Iowa State University, University of Northern Iowa, University of Iowa, Iowa School for the Deaf, and Iowa Braille and Sight Saving School.

Definitions

Log – A generic term for any information technology based event or activity record, including but not limited to, access, network, and/or security information; involving status, successes, and failures. It may be difficult to categorize a set of records into a single type of log, as some logs have more than one purpose.

Access Log – Records regarding authentication or authorization to an information technology resource. Examples of access logs include application (web, ERP), authentication, database, firewall, network access control (NAC), or system (syslog, event) logs, as well as physical access control logs, remote access logs, or other recorded user activity records.

Network Log – Records about network communications, including the establishment, association, or resolution, of a connection between two communicating technology devices. Examples of network logs include dhcp lease logs, DNS query logs, network flow data, address translation (NAT/PAT) logs, router/switch logs, wireless controller logs, and SMTP logs.

Security Log – Records that pertain to policy violations, computer intrusions, malicious activity, misuse of resources, illegal or unsanctioned activity, privacy violations, and all other security records. Examples of security logs would include anti-virus logs, intrusion detection/prevention system records, incident records, and packet captures.

Guidelines

Access logs should be maintained and accessible for a minimum of 90 days, after which they may be deleted, with a maximum retention of one year. If there is a business need to retain access logs for more than one year, it should be handled as an exception.

Network logs should be maintained and accessible for a minimum of 30 days, after which they may be deleted, with a maximum retention of one year. If there is a business need to retain network logs for more than one year, it should be handled as an exception.

Security logs should be maintained in a useable format for a minimum of 60 days, and a maximum retention either of one year or forever, or as specified by law enforcement, or as needed for ongoing issues. In some cases, access or network logs may become security logs, such as in the course of investigating a security event, and will need to be handled and retained on a case basis.

Log Types, Representative Examples, and Retention Recommendations:
 

Access Logs

Information/ Resource Types

Minimum and Maximum Retention Recommendation

Notes

Application logs 90 days, 1 year --
Authentication logs 90 days, 1 year AD, LDAP, Radius, Shibboleth, Kerberos, etc.
Database logs 90 days, 1 year SQL, Oracle etc.
Email Logins 90 days, 1 year Exchange, Sendmail, etc.
Firewall logs 90 days, 1 year --
NAC logs 90 days, 1 year Inspector, etc.
Physical security (key/video)logs 90 days, 1 year --
Syslogs, event logs, from servers 90 days, 1 year --
VPN logs 90 days, 1 year --
Web server logs 90 days, 1 year Apache, IIS, Tomcat etc.

Network Logs

Information/ Resource Types

Minimum and Maximum Retention Recommendation

Notes

ARP cache date 30 days, 1 year --
Bandwidth Statistics for internal/external links 30 days, 1 year may preserve summary/statistics forever
DHCP lease logs 30 days, 1 year --
DNS query logs 30 days, 1 year --
Flow data 30 days, 1 year --
NAT logs 30 days, 1 year --
Router/switch logs 30 days, 1 year --
SMTP logs, aka Boarder e-mail 30 days, 1 year --
Wireless controller logs 30 days, 1 year --

Security Logs

Information/ Resource Types Minimum and Maximum Retention Recommendation Notes
Anti-virus logs 60 days, 1 year --
IDS Alert Data 60 days may preserve summary/statistics forever
Incident records 60 days, forever Security and Help Desk tickets
Tcpdump/packet captures 60 days maximum as needed (ongoing incidents)