9. Retention policy
We recommend that you have a policy in place as to how long logs should be retained. Too long and there may be significant storage overheads and issues with data protection legislation, but too short and logs may expire before an incident can be investigated.
The Data Protection Act 1998 requires that personal data must not be kept for longer than it is needed, a somewhat vague statement! Retention for a reasonable period to prevent/investigate abuse is fine. Industry best current practice suggests that routine logs be kept for 3-6 months; longer if they are still required for a specific investigation. While the government is encouraging providers to keep logs for much longer for anti-terrorism reasons, such moves currently remain voluntary and affect only public networks; the University network and JANET are private. Whilst in most cases it will not be necessary to go back through logs more than a few days OxCERT's recommendation is that you store a minimum of 60 days' data.