Friday, January 07, 2011

Complete PCI DSS Log Review Procedures, Part 16

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company.  They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all. The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually. As you undoubtfully know, tools alone don’t make anybody compliant!
This is the 16th post in the long series  that is nearing the end (part 1, part 2, part 3all parts). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.
And so we continue with our Complete PCI DSS Log Review Procedures (please consider reading from Part 1 – at this stage we are deep in the details and these sections might seem out of context without reading earlier parts):

Management Reporting

In addition for compliance evidence, validation activities can be used to report the success of a log management program, processes and procedures to senior management. The data accumulated in the above sections as proof of organization-wide PCI DSS compliance can also be used for management reporting. Specifically, the following are useful reports that can be produced from the data:
· Presence and adequacy of logging
o Percentage of all systems / regulated data systems covered by logging (the latter should be 100%)

· Presence of defined  log review processes and their implementation
o Log policy and procedure changes
o Application under log review
o Log entries reviewed

· Exception handling process and its implementation
o Log exceptions handled by type, analyst name, etc
o Exception escalated to incident response
o (if relevant) Risk reduced due to timely escalation or incident prevention
o Resources saved due to timely escalation or incident prevention
o Application performance improvement due to log review

· Other log management program reporting
o Overall compliance readiness (PCI DSS and other)

Finally, let’s summarize all periodic operational tasks the organization should be executing in connection with log review.
To be continued.
Follow PCI_Log_Review to see all posts.
Possibly related posts:

Dr Anton Chuvakin