BOR log guides
Iowa, Board of Regents (BOR) IT security and network log retention guidelines
Purpose
A disparity exists between business records and technology-based event or activity records, often collectively referred as "logs". There are well-defined schedules for retention of business records, for many purposes. Audit requirements for financial and tax records, business requirements for continuity of operations, legal requirements for contracts and intellectual property, and so on, are typically well understood. The form of a business record is usually irrelevant; retaining the content or matter is the key.
In the case of technology-based event or activity records, schedules for retention often do not exist. For log records, it's important to consider technological, regulatory, cost/benefit, legal, risk, and privacy aspects of this information, and make an informed decision of how long records need to be kept.
Scope
This guideline was developed for, and is intended to be used by, the State of Iowa Board of Regents public universities and special schools: Iowa State University, University of Northern Iowa, University of Iowa, Iowa School for the Deaf, and Iowa Braille and Sight Saving School.
Definitions
Log – A generic term for any information technology based event or activity record, including but not limited to, access, network, and/or security information; involving status, successes, and failures. It may be difficult to categorize a set of records into a single type of log, as some logs have more than one purpose.
Access log – Records regarding authentication or authorization to an information technology resource. Examples of access logs include application (web, ERP), authentication, database, firewall, network access control (NAC), or system (syslog, event) logs, as well as physical access control logs, remote access logs, or other recorded user activity records.
Network log – Records about network communications, including the establishment, association, or resolution, of a connection between two communicating technology devices. Examples of network logs include dhcp lease logs, DNS query logs, network flow data, address translation (NAT/PAT) logs, router/switch logs, wireless controller logs, and SMTP logs.
Security log – Records that pertain to policy violations, computer intrusions, malicious activity, misuse of resources, illegal or unsanctioned activity, privacy violations, and all other security records. Examples of security logs would include anti-virus logs, intrusion detection/prevention system records, incident records, and packet captures.
Guidelines
Access logs should be maintained and accessible for a minimum of 90 days, after which they may be deleted, with a maximum retention of one year. If there is a business need to retain access logs for more than one year, it should be handled as an exception.
Network logs should be maintained and accessible for a minimum of 30 days, after which they may be deleted, with a maximum retention of one year. If there is a business need to retain network logs for more than one year, it should be handled as an exception.
Security logs should be maintained in a useable format for a minimum of 60 days, and a maximum retention either of one year or forever, or as specified by law enforcement, or as needed for ongoing issues. In some cases, access or network logs may become security logs, such as in the course of investigating a security event, and will need to be handled and retained on a case basis.
Log types, representative examples, and retention recommendations:
Access logs
Information/ resource types |
Minimum and maximum retention recommendation |
Notes |
| Application logs | 90 days, 1 year | -- |
| Authentication logs | 90 days, 1 year | AD, LDAP, Radius, Shibboleth, Kerberos, etc. |
| Database logs | 90 days, 1 year | SQL, Oracle etc. |
| Email log-ins | 90 days, 1 year | Exchange, Sendmail, etc. |
| Firewall logs | 90 days, 1 year | -- |
| NAC logs | 90 days, 1 year | Inspector, etc. |
| Physical security (key/video)logs | 90 days, 1 year | -- |
| Syslogs, event logs, from servers | 90 days, 1 year | -- |
| VPN logs | 90 days, 1 year | -- |
| Web server logs | 90 days, 1 year | Apache, IIS, Tomcat etc. |
Network logs
Information/ resource types |
Minimum and maximum retention recommendation |
Notes |
| ARP cache date | 30 days, 1 year | -- |
| Bandwidth Statistics for internal/external links | 30 days, 1 year | may preserve summary/statistics forever |
| DHCP lease logs | 30 days, 1 year | -- |
| DNS query logs | 30 days, 1 year | -- |
| Flow data | 30 days, 1 year | -- |
| NAT logs | 30 days, 1 year | -- |
| Router/switch logs | 30 days, 1 year | -- |
| SMTP logs, aka boarder e-mail | 30 days, 1 year | -- |
| Wireless controller logs | 30 days, 1 year | -- |
Security logs
| Information/ resource types | minimum and maximum retention recommendation | Notes |
| Anti-virus logs | 60 days, 1 year | -- |
| IDS alert data | 60 days | may preserve summary/statistics forever |
| Incident records | 60 days, forever | Security and help desk tickets |
| Tcpdump/packet captures | 60 days | maximum as needed (ongoing incidents) |