Problem solve Get help with specific problems with your technologies, process and projects.

Saving raw data from firewall logs

Is there a guideline for how long a company needs to retain the raw data firewall logs to preserve 'chain of custody'?
I have not seen such a guideline. One reason for retaining raw firewall logs is to preserve evidence that might later be used to prosecute a criminal intruder or otherwise to explain to a legal authority what threats a system was exposed to. For a typical enterprise, a two-year retention period would seem reasonable, provided the enterprise is unaware that the logged data might be necessary for any particular prosecution, investigation or dispute. However, I cannot state a hard two-year rule (and I never give specific legal advice in this column), because there could be exceptions. An exception might apply, for example, to an e-commerce financial institution that has a strong need to prove several years after the fact that its system was sound.
For more info on this topic, visit these SearchSecurity resources:
  • Ask the Expert: Examining firewall logs for evidence of intrusion
  • Ask the Expert: The difference between a two-tier and a three-tier firewall
  • This was last published in September 2004

    Dig Deeper on Information security policies, procedures and guidelines

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.