Retention considerations for audit purposes
Posted by bluecopp3r@reddit | sysadmin | View on Reddit | 10 comments
Greetings all.
I have 2 situations I'd like your input on.
- I had a recent internal audit as part of our ISO 9001 processes. The backup process was audited and a few areas for improvement were identified and corrected. On review of the corrective actions the auditor asked if there would be a need to preserve backup activity logs for an extended period to show to external auditors that backups have been taking place and not just a recent activity. I have backup activity logs in Veeam set to 90 days.
For those who are in an environment that goes through audits, is there a need to retain backup activity logs? If so what is your defined retention period and what was the deciding factor(s).
- Having disabled accounts of former employees can pose risks by an attacker activating them and using them for lateral movement or escalating privileges. I have seen recommendations to automate the deletion of disabled accounts after a set period of time (ex. 90 days). I have also seen where admins don't delete accounts for auditing purposes.
Does removing all group membership a good enough defense for keeping disabled accounts for years? For those who don't delete accounts for auditing purposes, is this for all accounts or for specific roles or access privileges?
eu_licensing_pro@reddit
I’d say 90 days is usually too short once auditors get involved.
In most places I’ve seen, 6–12 months of backup logs is kind of the “safe zone”, mostly because audits don’t happen on a clean timeline and they like seeing consistency over time, not just recent activity.
Also worth noting, logs alone usually aren’t enough. Being able to show restore tests (even quarterly) tends to carry more weight than just “backups ran successfully”.
On the disabled accounts side, just removing group membership isn’t really enough long term. It reduces risk, but it’s still an object sitting there that could be abused if something goes wrong.
What I’ve seen work well is:
disable immediately
strip groups
after X days (like 90) either delete or move to a restricted OU with no permissions
For audit purposes, most places don’t keep *all* accounts forever, just ones tied to higher privilege or where there’s a business/legal reason.
Otherwise you end up with years of dead accounts which is its own risk.
bluecopp3r@reddit (OP)
Thank you very much for this explanation. I appreciate it
eu_licensing_pro@reddit
Glad it helped 👍
Audits tend to be less about tools and more about consistency over time.
eu_licensing_pro@reddit
No problem 👍
It’s a confusing topic, a lot of people don’t realize how these keys actually work.
Ssakaa@reddit
Most of it depends on what your internal policies (and any externally imposed regulatory/insurance requirements) say, what your internal review processes are for those logs, and what records you keep around those. Being able to show you actually test your backups, say, yearly, quarterly, etc might offset that shorter log retention. If you have retention requirements for the backups themselves, being able to easily pull evidence showing those exist and are available is arguably even more valuable than backup activity logs (and auditors appreciate a well reasoned argument when you have evidence and existing policy to back it).
bluecopp3r@reddit (OP)
Ahhh. I appreciate that insight. I'm in the process of trying implemented automated recovery testing. So those reports will come in handy
vogelke@reddit
If you ever face an external audit, they'll probably want something longer than 90 days. If you have room, I'd keep a year's worth.
Put them on a separate machine if possible -- save something like SHA256 hashes for them and crypto-sign those hashes using GPG or the moral equivalent.
bluecopp3r@reddit (OP)
Ok thanks for your input. So it would be good to export the backup log as a report and store then away.
vogelke@reddit
Yes.
bluecopp3r@reddit (OP)
Thank you