SC10: Logs required by the Harvard Information Security Policy must be retained for a minimum of 90 days, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS). Systems which store or process regulated data may require longer retention periods.