What is a log retention policy and why is it critical for incident detection and forensics?

• A. Policy specifying how long logs are kept and how they are protected; critical for investigations, audits, and compliance.
• B. Policy describing how to rotate encryption keys every 90 days.
• C. A plan for recruiting new security staff.
• D. A guideline for archiving old project documentation.

Answer: (B)

A log retention policy defines how long security and system logs are kept, where they’re stored, who can access them, and how they’re protected and eventually disposed. This matters for incident detection because you need a sufficient window of historical data from multiple sources to spot anomalies, correlate events, and establish a timeline of what happened. Forensics relies on reliable, tamper-evident logs with accurate timestamps to reconstruct the incident, determine scope, and support investigations or regulatory requirements. A solid policy sets retention periods that balance business needs and legal obligations, centralizes log storage, uses immutable or tamper-evident storage, enforces access controls, and includes measures to verify integrity (like checksums or hashes). It also addresses data privacy, backup and recovery, and clear procedures for archiving or purging data when appropriate. Without such a policy, important evidence can be lost or untraceable, and audits or investigations may be incomplete. A policy about rotating encryption keys focuses on encryption hygiene, not on how long logs are kept.