Security log retention exists at the intersection of regulatory mandate, operational necessity, and economic constraint. Every organization must retain certain logs for certain periods in certain forms, but the specifics vary by regulation, by industry, and by the organization's own risk profile.
This reference provides a practical mapping of retention requirements across major regulatory frameworks, clarifies what auditors and regulators actually expect (as opposed to what organizations assume), and identifies the gaps that most retention strategies leave unaddressed.
Security log retention: why requirements differ across frameworks
Retention requirements differ because regulatory frameworks have different objectives.
Financial services regulations (SEC, OCC, FFIEC, DORA) focus on auditability and incident reconstruction. They require that organizations can demonstrate what happened during a cybersecurity event, how they detected it, and what they did in response. Retention periods tend to be long, three to seven years, because the regulatory review cycle operates on multi-year timelines.
Healthcare regulations (HIPAA) focus on protecting patient data. Retention requirements center on access logs that demonstrate who accessed what information and when. The six-year retention minimum reflects the statute of limitations for enforcement actions.
Payment card regulations (PCI DSS) focus on protecting cardholder data environments. Retention requirements are narrower in scope (focused on the cardholder data environment) but specific about accessibility, at least three months immediately available, 12 months total.
General cybersecurity frameworks (NIST CSF, CIS Controls, ISO 27001) provide retention guidance rather than mandates. They recommend retaining logs sufficient to support detection, investigation, and post-incident analysis, with specific durations left to the organization's risk assessment.
The common thread across all frameworks is that retention is not storage alone. Regulators expect retained data to be accessible, searchable, and usable for its intended purpose, whether that is audit, investigation, or incident reconstruction.
Retention requirements by regulation: SEC, DORA, OCC, FFIEC, HIPAA, PCI DSS
SEC Cybersecurity Disclosure Rule (2023). Requires material cybersecurity incident disclosure within four business days. While no explicit telemetry retention period is mandated, the disclosure timeline requires that organizations have immediate access to the data needed to assess materiality and reconstruct incident timelines. Practical interpretation: retain all security-relevant telemetry in searchable form for a minimum of 12-24 months.
DORA (EU Digital Operational Resilience Act). Requires financial entities to maintain ICT-related incident records, audit trails, and supporting log data. Retention periods are defined in regulatory technical standards, with auditors expecting multi-year retention of security telemetry in accessible form. Practical interpretation: retain security and ICT operational logs for five or more years, with immediate searchability for the most recent 12-24 months.
OCC Heightened Standards (US Banking). Requires banks to maintain comprehensive audit trails for information security events. Examiners expect access to log data spanning multiple examination cycles (typically two to four years). Practical interpretation: retain security logs for a minimum of three years in searchable form.
FFIEC IT Examination Handbook. Recommends retention of system and security logs sufficient to support examination, incident investigation, and forensic analysis. While specific periods are not mandated, examination cycles and enforcement actions can span three to seven years.
HIPAA Security Rule. Requires retention of audit logs documenting access to electronic protected health information (ePHI) for a minimum of six years. Logs must be accessible for investigation and compliance review, cold archive with multi-day restoration times may not satisfy the accessibility requirement.
PCI DSS 4.0. Requires a minimum of 12 months of audit trail retention for all in-scope systems, with the most recent three months immediately available for analysis. "Immediately available" means queryable in seconds to minutes, not restorable from cold storage.
What counts as a 'retained' log, and what auditors actually check
The distinction between "stored" and "retained" is where many organizations fall short.
Stored means the data exists somewhere, an S3 bucket, a cold archive, a backup tape. The data has not been deleted. It could, in theory, be accessed.
Retained, as auditors interpret the term, means the data is accessible, searchable, and usable for its stated purpose within a reasonable timeframe. Logs compressed in a cold archive that require 24-48 hours to restore and a custom query to search do not meet most auditors' definition of "retained" for security monitoring and incident response purposes.
Auditors check several things during retention reviews. They verify that the stated retention policy exists and is documented. They verify that the policy covers the required log types and retention periods. They test accessibility by requesting specific log data for specific time periods and evaluating how long it takes to produce. They check integrity by examining whether the data can be verified as unaltered since capture. And they review governance, who can access the retained data, and is that access itself logged.
Organizations that retain logs in hot, searchable storage with immutability guarantees and access audit trails pass these reviews with minimal friction. Organizations that piece together data from multiple systems, tiers, and archives face extended audit cycles and potential findings.
The cost reality: retaining logs in hot, searchable storage vs. cold archive
The economic case for cold archive is straightforward: S3 Glacier storage costs pennies per GB per month, while indexed, searchable storage costs dollars per GB per month. At enterprise telemetry volumes, the difference is orders of magnitude.
But the economic case is incomplete without considering the cost of using cold archive data. Restoration costs (per GB retrieved), compute costs for querying restored data, engineering time to build and maintain restoration pipelines, and the operational cost of delayed investigation during an active incident, all reduce the economic advantage of cold storage.
For compliance-driven retention (data that is rarely queried, stored primarily to satisfy an audit requirement), cold archive can be acceptable. For operational retention (data that is regularly queried during investigations, threat hunts, and retrospective analysis), cold archive is operationally inadequate.
The ideal solution is hot retention at cold storage economics. This requires an architecture that achieves storage efficiency through compression and columnar formats rather than through reduced accessibility. Bloo's architecture achieves this by deploying inside the customer's cloud, using storage-optimized data formats, and pricing independently of data volume.
Common gaps: what most organizations are missing in their retention posture
Five gaps appear consistently in enterprise log retention assessments.
Gap 1: Identity telemetry is under-retained. Authentication events, MFA enrollment changes, privilege escalations, and directory modifications are often retained for only the SIEM's default window (30-90 days), despite being among the most valuable log types for both investigation and compliance.
Gap 2: Cloud audit logs are filtered before retention. AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs generate high volumes. Many organizations filter these before SIEM ingestion to manage cost, and the filtered events are not retained elsewhere.
Gap 3: Retention periods differ by system rather than by policy. Each tool in the stack, SIEM, EDR, cloud platform, has its own default retention period. The result is an inconsistent retention posture where some log types are retained for 90 days and others for 365 days, without a coherent policy-driven framework.
Gap 4: "Retained" data is not actually searchable. Data in cold archive or unindexed data lakes technically satisfies a retention policy but fails the accessibility test during audit or incident response.
Gap 5: Retention is treated as a storage problem rather than a data architecture problem. The focus on where to put bytes misses the more important question of how to make retained data operationally useful, structured, enriched, and consumable by both humans and machines.
A reference matrix: regulation, log type, retention period, storage tier
SEC Cyber Disclosure All security-relevant logs 12-24 months (practical) Hot (immediate access required) DORA ICT incident and audit trail 5+ years Hot for 12-24 months; warm acceptable for older data OCC Heightened Standards Security audit trails 3-5 years Hot for 12 months; warm acceptable beyond FFIEC System and security logs 3-7 years Hot for 12 months; warm beyond HIPAA ePHI access logs 6 years Hot recommended; warm minimum PCI DSS 4.0 In-scope audit trails 12 months (3 months hot) Hot for 3 months; warm for remaining 9 SOC 2 Security monitoring logs 12 months (typical) Hot NIST CSF Per risk assessment Per risk assessment Hot recommended for active monitoringThis matrix represents a practical interpretation. Actual requirements should be validated with legal counsel and the applicable regulatory authority.
Bloo's architecture, full-fidelity, hot retention at predictable cost, satisfies the most stringent tier in this matrix by default. When all data is hot and searchable regardless of age, the retention architecture is compliance-ready from day one.