Wheaton College Color Logo

Log Backup Retention Policy

1.0 Purpose

This policy establishes guidelines for managing log data generated by Wheaton College information and technology resources and the backups of those resources. Logs and backups serve many purposes, such as troubleshooting operational problems, optimizing system and network performance, investigating policy violations and malicious activity, and protecting against accidental or deliberate loss or corruption of data. Logs can also be useful for establishing baselines and identifying operational trends and long-term problems. Effective log and backup management practices are therefore an essential part of a comprehensive Information Security Program, as well as meeting legal and regulatory requirements (e.g., PCI DSS, GLBA, and NIST 800-171), protecting people’s privacy, and effectively managing the operations of systems, applications, and databases.

2.0 Scope

This policy applies to all technology and information resources owned, licensed, or managed by Wheaton College, and the individuals who manage those systems. Wheaton resources hosted by third parties, such as cloud-hosted applications, should adhere to this policy where feasible.

3.0 Definitions

Log – A record of an event or activity in an information technology system (e.g., servers, applications, or databases).  These include but are not limited to access, network, and or security events reflecting status, successes, and failures.

Access Log – Records regarding authentication or authorization to an information technology resource. Examples of systems that record authentication and authorization events include applications (web, Banner, Schoology), authentication services (Active Directory, CAS, Kerberos, LDAP, RADIUS, TACACS+), email (authentication/access only), databases, servers (logins), network devices (logins), firewalls, VPN service, network access control (Bradford), physical access control systems, remote access services, or other records of user activity.

Network Log - Records about network communications, including the establishment, association, or resolution, of a connection between two communicating technology devices. Examples of network logs include DHCP lease logs, DNS query logs, phone call records, firewall traffic logs, network flow data, address translation (NAT/PAT) logs, router/switch logs (alarms, utilization, etc.), wireless controller logs, and email SMTP logs.

Security Log - Records that pertain to policy violations, computer intrusions, malicious activity, misuse of resources, illegal or unsanctioned activity, privacy violations, and all other security records. Examples of security logs would include anti-virus logs, intrusion detection/prevention system records, firewall threat/URL logs, incident records, and packet captures.

4.0 Policy

  1. All logs and backups must adhere to the retention schedule defined in section 5.0 below. Logs and backups older than the retention schedule must not be retained unless otherwise mandated by law, regulation, or contractual obligation.
  2. Security and access logs for production enterprise systems should be sent to a Security Information and Event Management (SIEM) system for correlation, reporting, forensics analysis, simplified searching, storage and archiving. If a development or test environment contains actual Restricted or Private data, or they are exposed to untrusted networks like the Internet, the enterprise application development and test systems should also send logs to the SIEM system.
  3. Logs and backups should be secured according to the classification of the data contained therein.
  4. Log sources should synchronize the system clock to a common, authorized time source, preferably ntp.wheaton.edu.
  5. Logs and backups should be encrypted in transit and at rest where feasible.
  6. Logs should be monitored and analyzed regularly to detect any anomalies and ensure all log sources are generating logs properly.
  7. When logs indicate a likely information security incident, Wheaton’s Information Security Incident Response Plan must be followed to ensure the incident is addressed appropriately.

5.0 Retention Schedule

Logs

Log Type

Retention

Access Logs

90 days

Security Logs

90 days

Network Logs

30 days

Backups--All backups should be retained for a maximum of 90 days, with the following exceptions.

  • Backups of systems in Wheaton’s credit cardholder data environment must be retained for one year, per requirement 10.7 of the Payment Card Industry Data Security Standard (PCI DSS)
  • Backups taken in response to a litigation hold request must be retained in a secure location until released for disposal by the Director of Legal Affairs
  • Since backups may include log data identified in section 5.1 above are retained for 90 days, this effectively extends the retention of those logs to a maximum of 180 days.

Destruction – when log or backup data exceeds its retention period, it must be securely destroyed in a manner that renders it unreadable. For tape backups, overwriting the tape with a new backup is acceptable.

 

6.0 Roles and Responsibilities

  • The Director of Infrastructure and Security in Academic and Institutional Technology (AIT) is responsible for management oversite of this policy, including reviewing the policy at least annually and updating it accordingly.
  • The Infrastructure and Security Team in AIT is responsible for maintaining the centralized SIEM service that collects and correlates logs, and managing system backups.
  • Service and system administrators are responsible for ensuring proper operation of logging services and compliance with this policy for the services and systems they manage.

7.0 Enforcement

Violators of this policy may be denied access to organizational resources and may be subject to penalties and disciplinary action both within and outside of Wheaton College. The organization may temporarily suspend or block access to an account or information systems prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other technology resources or to protect Wheaton College from liability.

Violators are subject to disciplinary rules described in the Student, Employee, or Faculty Handbooks and any other applicable policies and procedures.

8.0 Exceptions

Exceptions to the policy may be granted by the Chief Information Officer, or designee. All exceptions must be reviewed annually.

9.0 References

10.0 Effective Date

This policy is effective starting December 1, 2018.

11.0 Revision History

Version

 

Date

Author

Revisions

1.00

10/26/2018

W. Woodward

Original

2.00

11/19/2018

W. Woodward

Reviewed by AAAC