10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Defined Approach Requirements

10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Customized Approach Objective

Historical records of activity are available immediately to support incident response and are retained for at least 12 months.

Applicability Notes

Defined Approach Testing Procedures

10.5.1.a Examine documentation to verify that the following is defined:

• Audit log retention policies.
• Procedures for retaining audit log history for at least 12 months, with at least the most recent three months immediately available online.

10.5.1.b Examine configurations of audit log history, interview personnel and examine audit logs to verify that audit logs history is retained for at least 12 months.

10.5.1.c Interview personnel and observe processes to verify that at least the most recent three months' audit log history is immediately available for analysis.

Purpose

Retaining historical audit logs for at least 12 months is necessary because compromises often go unnoticed for significant lengths of time. Having centrally stored log history allows investigators to better determine the length of time a potential breach was occurring, and the possible system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.

Good Practice

Examples

Methods that allow logs to be immediately available include storing logs online, archiving logs, or restoring logs quickly from backups.