Retention periods for web logs

Question

I work for an ASP that provides banking solutions

• Card
• Services
• Payments
• ACH
• Online Banking
• And others

Back Story: Our company provides an "all in one" solution or parts thereof, we are constrained by regulatory agencies. One of the issues that we have run into, is retention. We are pulled in to investigate fraud, fraud-like transactions, etc. Specifically, I have been asked by my Manager about retention of weblogs. His question was centered around the FFIEC 2.0 Refresh. In talking with our Compliance Manager, we could not find anything specific to discuss data retention. Most of the information that I have seen at the FFIEC website is centered around business practices and not IT or Technology. However, when I originally composing this post, I did see a pretty relevant article related to this topic, but is for PCI. I also understand with my question, has very broad brushstrokes in the sense that I opened this regulatory question to not only the Financial sector but Healthcare (HIPPA) as well.

When composing this post, have seen the topic - Data Retention Laws for ISPs in North America as well as What's the best duration for storing e-mail? but this question more inline with specific regulatory agencies as listed below.

Needing to know if there are regulatory requirements for web server log retention for:

• SAS-70
• FFIEC
• SOX
• HIPPA

We capture login information and we have been advised we need to keep forensic data for at least 365 days and hourly data for at least 30 days.

Could not find anything to substantiate this on the FFIEC website, for example. I am sure there are guides that address this.

Other references related to this Payment Card Industry (PCI) Data Security Standard Page 28

Logging requirements for PCI for web applications

Any other ideas or suggestions?

Answer 1

Most legislation and regulations will not prescribe specific time frames for preserving logs. For example the National Archives Records Control Schedules (RCS) vary according to the document type and are adjustable by agency mission and organic legislation. If you can't find better, the FEDERAL RCS are an authoritative basis for specifying retention time frames. David Swifts's paper in the SANS Reading Room Successful SIEM and Log Management Strategies for Audit and Compliance provides detailed and thoughtful guidance.

A general principal of compliance is to have a written policy. Auditors then check to confirm that the written policy is followed. By defining and documenting our events of interest (EOI), and providing a written copy to auditors, we improve our overall compliance, and meet our requirement for a written policy. Then instead of being held to someone else's interpretation of the regulation, provided of course that we have a legitimate supportable set of EOI definitions, we will be measured to an agreed up on standard.

Be sure to include your auditors in this decision or face the possibility of an adverse finding later. If they decline to participate, document that in writing; don't count on auditors "remembering" later. Verbal agreements are only worth the paper they are written on. Also carefully document the decision process (meetings, references, participants, and policy statements) to head off negative findings years later. The three critical inputs for preparing documentation for audits are: actions, actors and artifacts.

Note that records pursuant to the legal prosecution of a bad actor will extend their retention requirements for years beyond the conviction of the perpetrators, even to include the term of their sentence should appeal and parole hearings ensure.

The Appendix 2 of the RSA Best Practices in Log Management for Security and Compliance cited by schroeder has a comprehensive list of events and compliance expectations.

Answer 2

SOX has a 7-year requirement.

This SANS Whitepaper (2010) might not be authoritative, but it highlights the matrix of best-practices between various requirements.