Control: The organisation retains audit records for [Assignment: organisation-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organisational information retention requirements.
Supplemental Guidance: Organisations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organisations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.
Audit Record Retention Control Enhancements:
AU-11 (1) Audit Record Retention - Long-term retrieval capability
The organisation employs [Assignment: organisation-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.
Supplemental Guidance: Measures employed by organisations to help facilitate the retrieval of audit records include, for example, converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help organisational personnel understand how to interpret the records.