University at Buffalo - The State University of New York
Skip to Content

Policy Information

Date Established: 7/14/2010
Date Last Revised: 12/19/2015
Category: IT Policy
Responsible Office: VPCIO Office
Responsible Executive: VPCIO

Policy Contents

Printing Tip

Be sure to disable the "shrink to fit" feature on your internet browser's print dialog box. 

Log Data Access and Retention Policy

Summary

This policy identifies the retention and destruction rules for system log data,[1] stored on servers and networked devices that are managed by central IT.  Log data are stored for the exclusive use of the central IT system administration staff for specific business reasons or to satisfy legal requirements.  Log data are considered to be confidential and are subject to the privacy requirements of the retention guidelines in the Retention Guidelines for Log Data and are destroyed after their business use is completed.

Policy Statement

Log data created by UB's central IT servers and network devices record only basic information about the activity supported through those devices. Log files are stored for the exclusive use of the central IT system administration staff for specific business reasons[2] or to satisfy legal requirements. Log data are classified as protected data and are subject to the privacy requirements of the Data Access and Security Policy, the retention guidelines in the Retention Guidelines for Log Data, and are destroyed after their business use is completed.

Central IT retains these data for a time period specified in the Retention Guidelines for Log Data.  All log data are considered to be confidential and protected data, and central IT takes active measures to prevent unauthorized access during the retention period. 

    [1] Log data are created automatically during system operation and contain entries about the events that happened in a system. They are vital for systems troubleshooting and analysis. For example Web Servers automatically save usage and activity information such as the date, time, IP address, HTTP status, bytes sent, and bytes received.

    [2] Business reasons include troubleshooting, collecting statistics on usage and activity, billing, documentation, and forensic investigation.

Background

Log data on servers and networked devices managed by central IT are classified as protected, non-public data.  This policy implements UB’s privacy and data protection rules for the collection, access to, and retention of server log data.  In setting the retention period central IT has considered a variety of competing interests, including the need to maintain operational reliability, the desire to reduce storage costs, and the desire to limit log data retention to reduce opportunities for inadvertent disclosure of data. 

Applicability

This policy applies to log data on servers and networked devices managed by central IT.

Definitions

Log data

Records (text files) that are created automatically during system operation and contain entries about the events that happened in a system. They are vital for systems troubleshooting and analysis. For example Web Servers automatically save usage and activity information such as the date, time, IP address, HTTP status, bytes sent, and bytes received.

Responsibility

Vice President and Chief Information Officer

The VPCIO or his designee approves requests for access to server log data.

Procedure

Access to Log Data

While the log data covered under this policy do not contain personally identifying information as addressed by recent federal and New York State laws, the log data are classified by University at Buffalo as protected data.  The reason for this is that the log data used in conjunction with other information that central IT has in its custody may allow us to associate specific information on the use of a service, such as specific Web page access, with a given individual’s computer. 

The VPCIO Office will comply with a court order or valid subpoena that requests the disclosure of information contained in log data.  Failure to comply could have serious consequences for the individuals involved, the VPCIO Office, and the University at Buffalo.

Retention of Log Data

Log data retention times are specified in the Retention Guidelines for Log Data.  If  log data contains relevant information that is useful for future reference, a pending transaction, or as evidence of a management decision, it should be retained.  If log data is needed for these purposes, it is the responsibility of IT staff to move these specific log data to another central IT-owned system prior to the destruction of the log dat (after it has reached its maximum retention time).

Destruction of Log Data

Log data must be destroyed in accordance with the Retention Guidelines for Log Data.  All original, backups, and copies of logs should be destroyed.  For this reason, log data should not be backed up to removable media.  In addition, care should be taken to exclude log data from computer disk images.

This policy recommends deleting log data as opposed to log entries.  

Contact Information

Office of the VPCIO
517 Capen Hall
Buffalo, NY  14260
Phone:  716-645-7979

Related Documents

University Documents:

Interim Associate VP for Information Technology Approval

Signed by Interim Associate Vice President for Information Technology Thomas R. Furlani

Thomas R. Furlani, Interim Associate Vice President for Information Technology