You might need to check with the Centralized Bank at your place. Over here, we required to hv 7 years of retention period.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed]
[mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Kim Sassaman
Sent: Tuesday, December 19, 2006 2:54 PM
To: 'iso 27000'; bs7799 (at) securityfocus (dot) com [email concealed]
Subject: RE: Retention period for security logs
ISO does not specify an exact timeframe. The standard recommends that
retention of data should conform to the policy and standards that an
organization has published. In the process of creating these documents an
organization would have had to look at Local, State, Federal, and
International laws that govern the type of information that they manage.
Depending on geographic location in the world different laws can cause
retention standards to be very different. Thus an organization should
create very specific standards around the governance of their data. Some
organizations have tackled this by creating a "catch-all" standard. Making
such a standard operational can cause an organization to incur very costly
technical controls. Also the introduction of "heavy processes" can be
introduced by such an indefensible standard. Review what laws apply, ensure
also that a proper risk assessment has occurred of both the current
retention standard/process and make sure that the legal and compliance
department "sign-off" on the decisions made. In a perfect world this
retention standard would be created by a team or committee comprised of
Legal, Compliance, and Information Security.
Thank you,
Kim Sassaman, CISSP
Managing Principal
602-791-4271
HotSkills INC.
www.hotskills-inc.com
Confidentiality Warning: This message and any attachments are only for the
use of the intended recipient, are confidential, and may be privileged. If
you are not the intended recipient, you are hereby notified that any review,
retransmission, or conversion to hard copy, copying, circulation, or other
usage of this message and any attachments is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email, and delete this message and any attachments from your system.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of iso 27000
Sent: Monday, December 18, 2006 9:40 PM
To: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Retention period for security logs
Hi
How long do the security logs need to be stored? Is it same duration
for OS logs, application logs, Router logs, Firewall logs etc?
What are the best practice recommendations? What factors determine the
retention period?
I am trying to figure this for a Bank with operations in multiple
gepgraphies.
Are there any specific recommendations by ISO 27001 standard ?
Anything FFIEC guidelines on same topic?
=====================================================================
Our Corporate email address has been changed from @genting.com.my to @genting.com
along with new naming standard. Please take note and email to me using the new email address in future.
Thank you.
=====================================================================
Buy Online and Save! Logon to www.genting.com.my
Sign up for a world of privileges, get your WorldCard at www.worldcard.com.my
=====================================================================
PLEASE NOTE: The information in this e-mail message is legally privileged and confidential
information intended only for the use of the individual(s) name above. If you, the reader of this
message, are not the intended recipient, you are hereby notified that you should not further
disseminate, distribute, or forward this e-mail message. In addition, if you have received this
e-mail in error, please immediately notify us by email to administrator (at) genting (dot) com [email concealed]
Thank you.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed]
[mailto:listbounce (at) securityfocus (dot) com [email concealed]]On Behalf Of Kim Sassaman
Sent: Tuesday, December 19, 2006 2:54 PM
To: 'iso 27000'; bs7799 (at) securityfocus (dot) com [email concealed]
Subject: RE: Retention period for security logs
ISO does not specify an exact timeframe. The standard recommends that
retention of data should conform to the policy and standards that an
organization has published. In the process of creating these documents an
organization would have had to look at Local, State, Federal, and
International laws that govern the type of information that they manage.
Depending on geographic location in the world different laws can cause
retention standards to be very different. Thus an organization should
create very specific standards around the governance of their data. Some
organizations have tackled this by creating a "catch-all" standard. Making
such a standard operational can cause an organization to incur very costly
technical controls. Also the introduction of "heavy processes" can be
introduced by such an indefensible standard. Review what laws apply, ensure
also that a proper risk assessment has occurred of both the current
retention standard/process and make sure that the legal and compliance
department "sign-off" on the decisions made. In a perfect world this
retention standard would be created by a team or committee comprised of
Legal, Compliance, and Information Security.
Thank you,
Kim Sassaman, CISSP
Managing Principal
602-791-4271
HotSkills INC.
www.hotskills-inc.com
Confidentiality Warning: This message and any attachments are only for the
use of the intended recipient, are confidential, and may be privileged. If
you are not the intended recipient, you are hereby notified that any review,
retransmission, or conversion to hard copy, copying, circulation, or other
usage of this message and any attachments is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email, and delete this message and any attachments from your system.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of iso 27000
Sent: Monday, December 18, 2006 9:40 PM
To: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Retention period for security logs
Hi
How long do the security logs need to be stored? Is it same duration
for OS logs, application logs, Router logs, Firewall logs etc?
What are the best practice recommendations? What factors determine the
retention period?
I am trying to figure this for a Bank with operations in multiple
gepgraphies.
Are there any specific recommendations by ISO 27001 standard ?
Anything FFIEC guidelines on same topic?
=====================================================================
Our Corporate email address has been changed from @genting.com.my to @genting.com
along with new naming standard. Please take note and email to me using the new email address in future.
Thank you.
=====================================================================
Buy Online and Save! Logon to www.genting.com.my
Sign up for a world of privileges, get your WorldCard at www.worldcard.com.my
=====================================================================
PLEASE NOTE: The information in this e-mail message is legally privileged and confidential
information intended only for the use of the individual(s) name above. If you, the reader of this
message, are not the intended recipient, you are hereby notified that you should not further
disseminate, distribute, or forward this e-mail message. In addition, if you have received this
e-mail in error, please immediately notify us by email to administrator (at) genting (dot) com [email concealed]
Thank you.
=====================================================================
[ reply ]