Saturday, December 04, 2010

Complete PCI DSS Log Review Procedures, Part 5

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. As I am preparing to handle more of such engagements (including ones not focused on PCI DSS, but covering other compliance or purely security log reviews), I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged “PCI_Log_Review.”  It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and  log analysis  in order to enable them to do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all.

This is the fourth post in the long, long series (part 1, part 2, part 3all parts). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.

And so we continue with our Complete PCI DSS Log Review Procedures:

Logging and Log Review Policy

In light of the above, a PCI-derived logging policy must at least contain the following:

· Adequate logging, that covers both logged event types and details

· Log aggregation and retention (1 year)

· Log protection

· Log review

Let’s now focus on log review in depth as defined in project scope. PCI DSS states that “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). “It then adds that “Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6”

PCI testing and validation procedures for log review mandate that a QSA should “obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required.” QSA must also assure that” Through observation and interviews, verify that regular log reviews are performed for all system components.”

Below we document application Log Review Procedures and workflows that cover:

1. Log review practices, patterns and tasks

2. Exception investigation and analysis

3. Validation of these procedures and management reporting.

The procedures will be provided for using automated log management tools as well as manually when tools are not available or not compatible with log formats produced by the application.

Review Procedures and Workflows

The overall connection between the three types of PCI-mandates procedure is as follows:


In other words, “Periodic Log Review Practices” are performed every day (or less frequently, if daily review is impossible) and any discovered exceptions or are escalated to “Exception Investigation and Analysis.” Both are documented as prescribed in “Validation of Log Review” to create evidence of compliance. We will now provide details on all three types of tasks. [A.C. – and so the fun starts!]

To be continued.

Follow PCI_Log_Review to see all posts.

Possibly related posts:

Dr Anton Chuvakin