ArcSight Data Retention

Owned by Benjamin.Walther
Last updated: Jul 26, 2011Version comment

Data Retention Requirements

Electronic data, just like hard copy data from years past, still needs to be retained for certain time periods relating to legal, business, or privacy requirements. Likewise, all information pertinent to a lawsuit must be retrieved and turned over to the authorities during litigation cases regardless of the medium such as paper, hard disk or tape.

ArcSight incorporates logs from a variety of sources, many of which have different data retention requirements. These logs contain data that can assist in the event of an investigation. However certain data is purged after a given time period to protect privacy, manage liability, and reduce potential investigation costs.

ArcSight Data Retention Options

ArcSight stores log data in "storage groups," each of which may have a data retention policy applied. Currently it is configured to offer storage groups with 30, 60, 90, 180, 365 day retention periods. The default retention period is 365 days; data sources must be specifically configured to store data in any other group.

When installing or updating ArcSight SmartConnectors (the software which collects and forwards logs to ArcSight), inform the information security team (is_team@tufts.edu) if the data belongs to any of the categories mentioned by the official Tufts Records Retention Schedule. The team will configure the SmartConnector to store data in the appropriate group. You may also request a different data retention period for others reasons, even if there is no policy requirement.

ArcSight Data Retention Guidelines

According to the Records Retention Schedule, we've prepared the following guidelines for storing log data in ArcSight. Note that the retention policies may change, and only the official Records Retention Schedule page represents the current policy. If not listed below, contact information security to discuss your business needs for archived logs and any privacy or legal implications of retaining them.

  • Faculty related logs: No guidelines
  • Student records and activity related logs: No guidelines.
  • Alumni record and activity related logs: No guidelines.
  • Financial, Funding, and Transaction related logs: 365 days
  • Staff records, activity and employment related logs: 365 days
  • Research related logs: "Until research is complete." Use default of 365 days
  • Administrative records: "Until no longer needed." Use default of 365 days
  • External connection and traffic related logs: 365 days
  • Internal Tufts device, connection, traffic and software usage logs: 90 days
  • Security scan related logs: 30 days

Draft Data Retention Policy

Information Security is in the process of drafting a more specific data retention policy specific to the records involves in our daily work. See the attached draft for more details.

  File Modified

PDF File uit-infosec_monitordata-retention2.pdf

Jul 28, 2011 by Benjamin.Walther

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.