John, Your thinking matches mine on this. Save all logs for six years? No. But for any logs you use as part of a regular assessment of your systems security, those copies should be retained as part of the assessment documentation, for the six years required in the Security Rule.
Jim Jim Sheldon-Dean Principal, Director of HIPAA Services Lewis Creek Systems, LLC 5675 Spear Street, Charlotte VT 05445 802-425-3839 516 E 12 St, Suite 10, New York NY 10009 212-260-6569 [EMAIL PROTECTED] > From: "Christiansen, John (SEA)" <[EMAIL PROTECTED]> > Reply-To: "Christiansen, John (SEA)" <[EMAIL PROTECTED]> > Date: Wed, 23 Jul 2003 09:01:46 -0700 > To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> > Subject: RE: Acceptable time-frames to keep Audit logs > > Thanks to all who pointed out that I erred when I said yesterday that the > regs don't refer to "audit logs." I broke one of my own cardinal rules, > which is to double-check the actual text of rules, regulations and > legislation before trying to pontificate about them. (Which just goes to > show how important it is to stick to the text when trying to figure out what > these various regs mean!) > > In reviewing that specification (164.308(a)(1)(ii)(D) together with the > documentation standard (164.316(b)), it seems to me you need to have written > documentation of the procedures implemented for regular review of > information system activity, including audit logs. Since the logs themselves > do not appear to be "policies, procedures, actions, activities or > assessments" required to be documented under the rule, I think I am still > comfortable saying these are not in themselves required to be retained for > six years. But I would tie in my written information system activity review > procedures to my written security incident procedures, since the audit logs > may constitute all or part of the basis for identification of a security > incident - it would probably be prudent to have a procedure in place to > maintain copies of logs which indicate a potential or proven security > incident as part of the security incident documentation. > > Does anybody else feel like they're playing three-dimensional chess? > > John R. Christiansen > Preston | Gates | Ellis LLP > *Direct: 206.370.8118 > *Cell: 206.683.9125 --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
