Retention of Computer Network and Systems Traffic Logs

Information technology (IT) departments maintain logs of traffic on networks and systems. According to the National Institute of Standards and Technology’s Guide to Computer Security Log Management, “[l]ogs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network.” The size of these network and systems traffic logs expands rapidly, claiming precious storage space. Security Week noted that “the average 5,000 person enterprise can expect their [firewall/intrusion prevention system/Secure Web Gateway] to generate over 10 gigabytes of data each day.”

IT departments can use our records retention schedules to manage retention of traffic logs. On the County Management Schedule and the Municipal Schedule, network and systems traffic logs fall under Computer and Network Usage Records:

Records documenting usage of electronic devices and networks. May include, but is not limited to, login files, system usage files, individual program usage files and records of use of the internet by employees.

The disposition instructions are:

Destroy in office when administrative value ends.
Agency Policy: Destroy in office after _________________

On this blank line, IT departments may define their own minimum retention period for network and systems traffic logs and other computer and network usage records. (The local customization of retention periods for administrative value is explained here.) For example, an IT department may set a short minimum retention period, such as 1 month, in order to free up valuable storage space.

However, some network traffic logs capture information related to computer and network security events. According to the Guide to Computer Security Log Management,”These computer security logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications.”

Intruder scanning logs and other logs of events flagged as possible network and systems security threats fall under Network and System Security Records in the County Management Schedule and the Municipal Schedule:

Records documenting the security of network and system. May include, but is not limited to, records concerning firewalls, anti-virus programs, and intruder scanning logs.

The disposition instructions for network security logs are to destroy in office after 3 years.*

For state agencies, the disposition instructions in the General Schedule for State Agency Records are different. Item G119, Computer and Network Usage File, covers network and systems usage logs and says “Destroy in office after 1 year.” However, logs related to security are covered by Item G120, Computer Security File, and, as on the local schedules cited above, may be destroyed in office after 3 years.

While IT departments may set short retention periods for the raw network traffic logs and thereby relieve storage burdens, we require that logs of security-related events be retained for a longer period of 3 years. Why? Because effective analysis of log data and the development and implementation of a response to a computer security event take time. If, down the road, the security incident results in litigation, attorneys and courts may request these logs as evidence.

In recognition of this, an asterisk in the disposition instructions designates that network and system security records are commonly audited, litigated, or subject to other official actions. In this event, IT departments must suspend the destruction of any logs that are, or may be reasonably expected to become, involved in an audit, legal, or other official action.

The National Institute of Standards and Technology’s Guide says that IT departments face a challenge: “effectively balancing a limited amount of log management resources with an ever-increasing supply of log data.” IT departments can use our records retention schedules to manage retention and destruction of network and system logs, and meet this challenge.

*For counties that do not have integrated central IT departments, the IT department must use the retention schedule for its department, such as the County Health Department Schedule or the County Sheriff’s Office Schedule. These schedules may have older and differing disposition instructions for network and systems traffic logs than those described above. Please contact a records management analyst if you have any questions.