1. Purpose
Define retention periods for audit logs and related data to support security investigation, compliance, and legal requirements at [ORGANIZATION].
2. Scope
This policy applies to all audit logs, security event data, and related metadata generated by [ORGANIZATION]'s information systems.
3. Policy
3.1 Retention Periods
The following minimum log retention periods shall apply:
| Log Type | Online (Searchable) | Archive (Retrievable) | Total Retention |
|---|---|---|---|
| Security event logs | [CUSTOMIZE: 90 days] | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 1 year] |
| Authentication/access logs | [CUSTOMIZE: 90 days] | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 1 year] |
| Firewall/IDS/IPS logs | [CUSTOMIZE: 90 days] | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 1 year] |
| Application audit logs | [CUSTOMIZE: 90 days] | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 1 year] |
| Database audit logs | [CUSTOMIZE: 90 days] | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 1 year] |
| DNS query logs | [CUSTOMIZE: 30 days] | [CUSTOMIZE: 6 months] | [CUSTOMIZE: 6 months] |
| DHCP logs | [CUSTOMIZE: 30 days] | [CUSTOMIZE: 6 months] | [CUSTOMIZE: 6 months] |
| Administrative action logs | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 3 years] | [CUSTOMIZE: 3 years] |
| Incident-related logs | [CUSTOMIZE: Duration of investigation + 3 years] | N/A | [CUSTOMIZE: Investigation + 3 years] |
3.2 Retention Management
Log data exceeding retention periods shall be securely purged within [CUSTOMIZE: 30/60] days unless subject to a legal hold or active investigation.
Archived logs shall remain retrievable within [CUSTOMIZE: 24/48] hours for investigation purposes.
Log retention infrastructure shall be sized to accommodate projected growth with capacity reviews performed [CUSTOMIZE: quarterly/annually].
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control