What does retention of audit logs 'per policy' imply?

Retention of audit logs per policy means there is a formal policy that specifies how long logs are kept, where they are stored, who can access them, and when they are destroyed. This ties logging practices to organizational rules and any applicable laws or regulations, ensuring an auditable and compliant trail while avoiding unnecessary storage. The exact retention duration is defined by the policy and can vary based on data sensitivity and legal requirements, but it is always governed by documented guidelines rather than being arbitrary. In practice, logs are typically kept in a centralized, secure repository to protect integrity and confidentiality, rather than being stored privately on employee devices.