10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
10.7.a Examine security policies and procedures to verify that they define the following:
• Audit log retention policies
• Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
10.7.b Interview personnel and examine audit logs to verify that audit logs are available for at least one year.
10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs can be immediately restored for analysis.
Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data.