Best Practices - Log Retentions for legal purposes
The ISC suggests that companies fomulate policies on log files retention to meet various legal requirements like Sarbanes-Oxley, HIPAA, and other needs. This could require storing seven years of detailed log file history (but hopefully using a compressed format and DLT tape backups in an organized manner.).
Its a good idea to develop a log retention policy for your site. This should include what type of information is stored; for how long; online vs offline; and whether the data is confidential. A good starting point would be to store compressed copies of your audit logs (syslog or event logs), firewall logs (network or host), and IDS logs (alert logs at a minimum. full packet trace retention would depend on the needs and requirements of your site) for at least 60 days.
A few of the legal requirements highlighted:
The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.
National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.
The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.
VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.