This is the first post in the long, long series... prepare to see lots of process flow charts
A few tips on how you can use it in your organization:
- If you need to establish log review practices to satisfy PCI DSS Requirement 10.6 “Review logs for all system components at least daily”, feel free to steal from this document and adapt it tor your environment. I can do that for you too.
- There is a slight bias towards application and OS logging in this document (as per client request) – an you do need to review network and security device logs as well. The methods and practices apply to them as well.
- This was created before PCI DSS 2.0 release, but has been checked to “comply” with the most recent standard (and Requirement 10 has not changed much in 2.0)
- A QSA looked at it and liked it– but YMMV. Your QSA is always the ultimate authority in regards to what will “make you compliant”
- Don’t forget to buy me a beer if you find it useful. Better – contract me to create something similar for your organization. Are you doing a good job with log review today? Owning an expensive SIEM product but not using it well does not magically make you compliant or secure (it can make you poor though
) – but then again, you already knew it….
Project Goals
The goal of this project is to create a comprehensive Log Review Procedures document for PCI DSS applications. Such document needs to cover log review procedures, tasks and practices and incorporate other systems in review workflow and also document all stages of log review. If implemented in operational practice, this Log Review Procedure document should satisfy PCI DSS requirements in select sections of PCI DSS Requirement 10 and 12 and should be adequate to pass PCI compliance validation[1].Project Assumptions, Requirements and Precautions
These critical items are essential for a success of PCI logging, log management and log review project. It is assumed that the following requirements are satisfied before the Log Review Procedures are put into operational practice.Requirements
A set of requirements needs to be in place before the operational procedures described in this document can be used effectively:1. Logging policy is created to codify PCI DSS log-related requirements as well as other regulatory and operational logging requirements
2. Logging is enabled on the in-scope systems
3. Interruption or termination of logging is in itself logged and monitored
4. Events mandated in PCI DSS documentation are logged
5. Generated logs satisfy PCI DSS logging requirements (e.g. Req 10.3)
6. Time is synchronized across the in-scope systems and with the reliable time server (NTP or other as per PCI DSS Req 10.4)
7. Time zones of all logging systems are known and recorded and can be reviewed in conjunction with logs
Precautions
This additional precautions need to be taken in order to make logs useful for PCI DSS compliance, other regulations as well as security, forensics and operational requirement:· Key precaution: the person whose actions are logged on a particular system cannot be the sole party responsible for log review on that same system.
· Key precaution: PCI DSS mandates log security measures (detailed below), all access to logs should be logged and monitored to identify attempts to terminate or otherwise affect the presence and quality of logging.
[1] No assurance or guarantee of PCI compliance or passing PCI validation with one or more PCI DSS requirements can be given in this document. Only each organization’s QSA can be the judge of compliant status, as per PCI Council guidelines.
Out-of-scope Items
The following items are not covered in the document despite the fact that they might be essential for becoming PCI DSS compliant:| Out-of-scope Item | Why out of scope? |
| What events to log for each application? | Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy. |
| What details to log for each logged event for each application? | Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy. |
| High-level logging and monitoring policy | It is known that such policy is already in place. |
| Log aggregation, rotation and retention policies and procedures | Even though PCI DSS prescribes log retention, such procedures are not covered in this document. |
| Security incident response process | Scope of the project is defined to cover log review only. Log review procedures sometimes call for initiation of a security incident response process and investigation |
| Application that are not in scope for PCI DSS | Scope of the project is defined to cover PCI DSS applications only |
| Network devices that are OR are not in scope for PCI DSS | Scope of the project is defined to cover PCI DSS applications only. A.C. note when posting: make sure you do include network devices I your PCI logging project! |
| Access control to stored logs, protecting the confidentiality and integrity of log data | Even though PCI DSS prescribes access control guidelines for aggregated logs, such procedures are not covered in this document as per project definition. |
| Compensating controls when logging is not possible | Scope of the project is defined to cover log review only. Log review is always possible whenever logging is possible. However, situation where logging is not possible is not covered in this document |
| Real-time monitoring of central logging health, performance, etc | Scope of the project is defined to cover periodic log review only. |
| Any and all logging requirements in PCI DSS outside of Requirements 10 and 12. | Scope of the project is defined to cover log review procedures in PCI requirements 10 and 12 only. A brief overview of PCI logging requirements in other sections is provided, but no detailed operational guidance is given. |
| Guarantee of passing PCI DSS assessment | Only each organization QSA can provide such assurance or guarantee after the assessment. |
| Correlation rules for PCI monitoring | While correlation rules can be created to automate some of the items discussed in the document, the project is scoped to cover log review and not correlation |
| Log record preservation for forensic purposes | Log record preservation should be a part of a security incident response workflow. |
To be continued.
Go to PCI_Log_Review to see all 18 posts.
P.S. This posted by a scheduler. I am away from computers and response to comments will be slow.
Possibly related posts:
- Incident Log Review Checklist
- All posts tagged PCI_Log_Review
