Which practice is necessary for auditing purposes in an information security program?

Log retention is crucial for auditing purposes in an information security program because it ensures that an organization maintains a record of security-related activities and events over time. These logs can include information such as access to systems, user activity, and changes to data or configurations. By retaining logs, organizations can provide evidence during audits, demonstrate compliance with security policies and regulations, and investigate security incidents effectively.

This practice facilitates tracking any unauthorized access, identifying potential vulnerabilities, and evaluating the effectiveness of security controls. Moreover, log retention helps organizations respond to incidents by providing a historical context of security events. This comprehensive view is essential for auditors to assess the organization's security posture and compliance with standards like PCI DSS.

While other practices like security training, penetration testing, and user interviews contribute to the overall security environment, they do not specifically address the documentation and evidence needs that log retention fulfills during an audit.