This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-07-30 03:25 PM

Log Retention Requirements

Does anyone have any kind of information pertaining to log retention requirements? Here is what I've catpured so far...it would be great if anyone knows of more regulations/laws that I don't have listed here.

 

PCI -> 6 months

Sarbanes-Oxley -> 7 years

HIPAA -> 6 years

GLBA -> Protect customer's personal financial information by "actively monitoring" logs

Basel II -> 7 years

California Security Breach Information Act (SB 1386) -> Detect unauthorized access to personal data.

0 Likes
Reply
9 Replies
RSAAdmin
Beginner
Beginner
‎2008-07-31 11:30 AM

The time requirement you reference for HIPAA does not pertain to logs.  The 6 year requirement relevant to the HIPAA Security Rule (specifically, 45 CFR 164) pertains to the retention of Security Policies and Procedures.

 

Here is the pertinent citation;

 

§ 164.316 Policies and procedures and

documentation requirements.

A covered entity must, in accordance

with§164.306:

(a) Standard: Policies and procedures.

Implement reasonable and appropriate

policies and procedures to comply with

the standards, implementation

specifications, or other requirements of

this subpart, taking into account those

factors specified in§164.306(b)(2)(i),

(ii), (iii), and (iv). This standard is not

to be construed to permit or excuse an

action that violates any other standard,

implementation specification, or other

requirements of this subpart. A covered

entity may change its policies and

procedures at any time, provided that

the changes are documented and are

implemented in accordance with this

subpart.

(b)(1) Standard: Documentation.

Maintain the policies and

procedures implemented to comply

with this subpart in written (which may

be electronic) form; and

(ii) If an action, activity or assessment

is required by this subpart to be

documented, maintain a written (which

may be electronic) record of the action,

activity, or assessment.

(2) Implementation specifications:

 

Time limit (Required). Retain the

documentation required by paragraph

(b)(1) of this section for 6 years from the

date of its creation or the date when it

last was in effect, whichever is later.

(ii)Availability(Required). Make

documentation available to those

persons responsible for implementing

the procedures to which the

documentation pertains.

(iii)Updates(Required). Review

documentation periodically, and update

as needed, in response to environmental

or operational changes affecting the

security of the electronic protected

health information.

 

-Scott

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-31 11:59 AM

I'm also not sure I'd categorize regulatory requirements as "Best Practices".

 

I'd prefer to think of best practices as things we actually do to secure our enterprise rather than that which we do to satisfy the auditors.

 

With that in mind I've asked for a "Regulatory" section for the forum, as I believe discussions such as these are not only valuable but organizing them into a dedicated area would provide a helpful resource to all that frequent the board.

 

-Scott

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-31 12:52 PM

Scott,

Where do you suggest we create the Regulatory board? Should it be in a new Category that contains framework discussions, e.g. ISO, as well? What category name would make sense for regulatory or should it be placed under the enVision category?

Thanks,

Debbie

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-06 10:17 AM

I think the "Regulatory" category should be a board unto itself with the various regulations as sub-categories.

 

To keep things organized you could add a "suggest a regulation" as a sub-category as well.

 

 

-Scott

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2008-08-08 01:16 AM

Actually, for PCI the requirement is a minimum of 3 months of online retention of log data and 1 year of offline data.

 

- Mark Nadir

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-08-08 09:59 PM

Newly created "Regulations and Frameworks":

https://community.emc.com/community/envision

 

I've only included the most common regulations (PCI, HIPAA, SOX) and frameworks (ISO) for now. We'll see how many posts people create and add more if needed.

 

Happy posting!

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-10-21 02:42 PM

I cannot see the board mentioned in DebbieU's post above from the main "Intelligence Community" board list.  Also when I click the link in the previous post, I receive this message:


Sorry, you do not have sufficient privileges for that action.
Please click the Back button on your browser.

 

Is the Regulatory Board active?  If so, may I request access?

0 Likes
Reply
FIRSTNAMELASTNA
Beginner
Beginner
In response to RSAAdmin
‎2011-01-17 07:48 AM

Hello - Please grant the access to community!!

 

Thanks,

Sanjay.

0 Likes
Reply
SandraCarielli
Beginner
Beginner
In response to FIRSTNAMELASTNA
‎2011-01-17 07:54 AM

Hello,

It appears that board is no longer active.  You should have access to every active board on the community.

 

Thanks!

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.