Log Retention Requirements
Does anyone have any kind of information pertaining to log retention requirements? Here is what I've catpured so far...it would be great if anyone knows of more regulations/laws that I don't have listed here.
PCI -> 6 months
Sarbanes-Oxley -> 7 years
HIPAA -> 6 years
GLBA -> Protect customer's personal financial information by "actively monitoring" logs
Basel II -> 7 years
California Security Breach Information Act (SB 1386) -> Detect unauthorized access to personal data.
The time requirement you reference for HIPAA does not pertain to logs. The 6 year requirement relevant to the HIPAA Security Rule (specifically, 45 CFR 164) pertains to the retention of Security Policies and Procedures.
Here is the pertinent citation;
§ 164.316 Policies and procedures and
A covered entity must, in accordancewith§164.306:
(a) Standard: Policies and procedures.
Implement reasonable and appropriate
policies and procedures to comply with
the standards, implementation
specifications, or other requirements of
this subpart, taking into account thosefactors specified in§164.306(b)(2)(i),
(ii), (iii), and (iv). This standard is not
to be construed to permit or excuse an
action that violates any other standard,
implementation specification, or other
requirements of this subpart. A covered
entity may change its policies and
procedures at any time, provided that
the changes are documented and are
implemented in accordance with this
(b)(1) Standard: Documentation.
Maintain the policies and
procedures implemented to comply
with this subpart in written (which may
be electronic) form; and
(ii) If an action, activity or assessment
is required by this subpart to be
documented, maintain a written (which
may be electronic) record of the action,
activity, or assessment.
(2) Implementation specifications:
Time limit (Required). Retain the
documentation required by paragraph
(b)(1) of this section for 6 years from the
date of its creation or the date when it
last was in effect, whichever is later.(ii)Availability(Required). Make
documentation available to those
persons responsible for implementing
the procedures to which the
documentation pertains.(iii)Updates(Required). Review
documentation periodically, and update
as needed, in response to environmental
or operational changes affecting the
security of the electronic protected
I'm also not sure I'd categorize regulatory requirements as "Best Practices".
I'd prefer to think of best practices as things we actually do to secure our enterprise rather than that which we do to satisfy the auditors.
With that in mind I've asked for a "Regulatory" section for the forum, as I believe discussions such as these are not only valuable but organizing them into a dedicated area would provide a helpful resource to all that frequent the board.
Where do you suggest we create the Regulatory board? Should it be in a new Category that contains framework discussions, e.g. ISO, as well? What category name would make sense for regulatory or should it be placed under the enVision category?
I think the "Regulatory" category should be a board unto itself with the various regulations as sub-categories.
To keep things organized you could add a "suggest a regulation" as a sub-category as well.
Newly created "Regulations and Frameworks":
I've only included the most common regulations (PCI, HIPAA, SOX) and frameworks (ISO) for now. We'll see how many posts people create and add more if needed.
I cannot see the board mentioned in DebbieU's post above from the main "Intelligence Community" board list. Also when I click the link in the previous post, I receive this message:
Sorry, you do not have sufficient privileges for that action.
Please click the Back button on your browser.
Is the Regulatory Board active? If so, may I request access?