Which statement best describes the primary purpose of a log retention policy?

• A. It dictates who can view logs.
• B. It mandates encryption of all logs.
• C. It specifies how long logs are kept to preserve evidence and support incident timelines.
• D. It ensures logs are never encrypted.

Answer: (C)

The main idea being tested is how organizations manage and preserve log data over time. A log retention policy sets how long logs should be kept, where they’re stored, and when they should be deleted. The primary purpose is to preserve evidence and support an accurate incident timeline. Having defined retention ensures that logs remain available long enough for investigators to determine what happened and when, which is crucial for analyzing security events, reconstructing attacker steps, and meeting regulatory or legal requirements.

Other aspects like who can view logs fall under access controls, not retention. Requiring encryption of all logs is about protecting confidentiality, not how long data is kept. Claiming logs should never be encrypted conflicts with security best practices and isn’t about retention goals.