I have not seen such a guideline. One reason for retaining raw firewall logs is to preserve evidence that might later be used to prosecute a criminal intruder or otherwise to explain to a legal authority what threats a system was exposed to. For a typical enterprise, a two-year retention period would seem reasonable, provided the enterprise is unaware that the logged data might be necessary for any particular prosecution, investigation or dispute. However, I cannot state a hard two-year rule (and I never give specific legal advice in this column), because there could be exceptions. An exception might apply, for example, to an e-commerce financial institution that has a strong need to prove several years after the fact that its system was sound.
For more info on this topic, visit these SearchSecurity resources:
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.