For how long must visitor logs be retained?

The correct retention period for visitor logs, as outlined in the NERC Critical Infrastructure Protection (CIP) v7 Standards, specifically falls under the requirements for physical security and access control. Retaining visitor logs for 90 calendar days ensures that organizations maintain adequate records of who accesses their facilities. This timeframe allows for a sufficient audit trail to support security protocols and respond to potential security incidents, investigations, or compliance audits.

By keeping records for this duration, organizations can effectively analyze trends in visitor activity and ensure that personnel or visitors who accessed critical assets are accounted for, which is essential for maintaining the integrity and security of Critical Cyber Assets. A shorter retention period may not provide a full view of access patterns, while a longer retention period may lead to unnecessary storage of data that may not be practical or necessary for operational purposes.