Skip Links

Practical priorities in PCI DSS logging

Security Strategies Alert By M. E. Kabay, Network World
March 10, 2010 12:07 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

Anton Chuvakin, PhD, GCIA, GCIH, GCFA continues his two-part review of logging requirements imposed by the Payment Card Industry Data Security Standard (PCI DSS). Everything that follows is Dr Chuvakin’s work with minor edits. (Part 1)

In today's column, he presents some practical guidance for readers.

* * *

A PCI-consistent logging policy must include at least the following elements:

Adequate logging: covers both logged event types and details for all systems in scope for PCI DSS. As a reminder, this includes not only systems that store or process card data, but also those that are directly connected to them (no firewall in between).

Central log aggregation: making sure that logs are retained in a controlled environment and not left to rot wherever they are produced is a PCI compliance requirement.

Log retention: PCI DSS has an easy answer for your log retention policy: logs must be stored for one year with the last three months available in an easily accessible storage (not tape).

Log protection and security: PCI also mandates limiting access to logs and employing the technology to detect any possible changes of stored logs.

Daily log review procedures and tasks: this requirement is by far the most onerous to most organizations. However, it does not mean that every single log must be read by a human being. Automated tools can and must be used for automated log review.

Let's now focus on log review in depth. PCI DSS states that one must "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." It then adds that "Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6."

PCI DSS testing and validation procedures for log review mandate that a Qualified Security Assessor (QSA) should "obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required." The QSA must also "through observation and interviews, verify that regular log reviews are performed for all system components." To satisfy those requirements, an organization should create PCI System Log Review Procedures and workflows that cover:

• Log review practices, patterns and tasks

• Exception investigation and analysis

• Validation of these procedures and management reporting.

The procedures will be provided for using automated log management tools as well as manually when tools are not available or not compatible with log formats produced by the payment applications.

To conclude, PCI security guidance mandates not only the creation of logs and retention, but also their review. It is essential that your logging policy and procedures cover such daily review tasks, whether using log management tools or manually. This will allow you to get compliant, validate your compliance as well as stay compliant and secure on an ongoing basis. The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any enterprise subject to one of those regulations.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News