- For troubleshooting issues.
- For investigating security incidents.
- For use in employee disciplinary procedures.
- As a formal corporate record.
- For use in a court of law.
In general, the handling requirements get more stringent as you go down the above list. So, let's go through the list and review how to manage logs in these scenarios:
For troubleshooting issues: Keep the logs for a couple of weeks, retaining logs if there are particular issues to look at.
For investigating security incidents: Again, keep the logs for a short period (a month say). A key problem to sort out, though, is consistent time stamping to ensure that logs from different devices match up.
For use in employee disciplinary procedures: Keep the logs for about six months. The logs should be reasonably protected, (e.g only certain persons being allowed access) archived off periodically and stored appropriately.
As a formal corporate record: Normal advice here is to keep the logs for six years. Again, logs should be reasonably protected as above, archived off periodically and stored appropriately. The ability to read the archives should be checked.
For use in a court of law: You need to meet the evidential requirements. This can be done physically and procedurally, but will end up with your computers bagged up and tagged, or hard disks imaged etc. Any computer system that needs to routinely maintain records to this level of evidence really needs the right mechanisms and controls designed in from the start.
Related Q&A from Neil O'Connor
As more organisations integrate business-critical functions with Web services, the security of those services becomes of greater importance. But are ...continue reading
In this expert response, Neil O'Connor explains how to get the most out of the gap analysis process in your organization.continue reading
There are some best practices to follow when it comes to USB drive security. Learn what they are and how to protect your company from USB security ...continue reading