Why are security logs and auditing important in ICT, and what is a common practice for log retention?

• A. They help detect incidents and track activity; retention should meet policy, legal requirements, and storage capacity, often 1-12 months.
• B. They are optional; retention is always indefinite.
• C. They only track login attempts; retention is 5 years.
• D. They are used for marketing analytics.

Answer: (C)

Security logs and auditing create an audit trail of activity across ICT systems, which is essential for detecting security incidents, understanding what happened during an event, and providing evidence for investigations and compliance. By collecting records of who accessed what, when changes were made, and what actions were taken, they enable timely detection of anomalies, support incident response, and help satisfy policy and regulatory requirements.

For log retention, the practice is to keep records for a period defined by policy and legal obligations, while also considering storage capacity and privacy concerns. A common range is about 1 to 12 months, though some systems or regulations may require longer retention. The key is to balance usefulness for investigations with data minimization and practical storage limits, ensuring logs are secured and tamper-resistant.

Other options miss the mark: logs are not optional and indefinite retention is impractical; security logs cover more than just login attempts and aren’t kept for an arbitrary long time like five years; and their primary purpose isn’t marketing analytics.