Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all. The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually. As you undoubtfully know, tools alone don’t make anybody compliant!
This is the 17th, one before last, post in the long series of 18 posts (part 1, part 2, part 3 – all parts) – this is a very important part as it contains the summary of key periodic operational procedures. Please consider reading from Part 1 – at this stage we are deep in the details and these sections might seem out of context without reading earlier parts. A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.
And so we continue with our Complete PCI DSS Log Review Procedures:
Periodic Operational Task Summary
The following chapter contains a summary of operational tasks related to logging and log review. Some of the tasks are described in detail in the document above; others are auxiliary tasks needed for successful implementation of PCI DSS log review program.
Daily Tasks
The table below contains daily tasks, responsible role that performs them as well as what record or evidence is created of their execution:
| Task | Responsible Role | Evidence |
| Review all the types of logs produced over the last day as described in the daily log review procedures | Security administrator, security analyst, (if authorized) application administrator | Record of reports being run on a log management tool |
| (As needed) investigate the anomalous log entries as described in the investigative procedures | Security administrator, security analyst, (if authorized) application administrator | Recorded logbook entries for investigated events |
| (As needed) take actions as needed to mitigate, remediate or reconcile the results of the investigations | Security administrator, security analyst, (if authorized) application administrator, other parties | Recorded logbook entries for investigated events and taken actions |
| Verify that logging is taking place across all in-scope applications | Application administrator | Create a spreadsheet to record such activities for future assessment |
| (As needed) enabled logging if disabled or stopped | Application administrator | Create a spreadsheet to record such activities for future assessment |
Weekly Tasks
The table below contains weekly tasks, responsible role that performs them well as what record or evidence is created of their execution:
| Task | Responsible Party | Evidence |
| (If approved by a QSA) Review all the types of logs produced on less critical application over the last day as described in the daily log review procedures | Security administrator, security analyst, (if authorized) application administrator | · Record of reports being run on a log management tool. · Record of QSA approval for less frequent log reviews and reasons for such approval |
| (As needed) investigate the anomalous log entries as described in the investigative procedures | Security administrator, security analyst, (if authorized) application administrator | Recorded logbook entries for investigated events |
| (As needed) take actions as needed to mitigate, remediate or reconcile the results of the investigations | Security administrator, security analyst, (if authorized) application administrator, other parties | Recorded logbook entries for investigated events and taken actions |
Monthly Tasks
The table below contains daily tasks, responsible role that performs them as well as what record or evidence is created of their execution:
| Task | Responsible Party | Evidence |
| Prepare a report on investigated log entries | Security analyst, security manager | Prepared report (to be filed) |
| Report on observed log message types | Security analyst, security manager | Prepared report (to be filed) |
| Report on observed NEW log message types | Security analyst, security manager | Prepared report (to be filed) |
| (If approved by a QSA) Review all the types of logs produced on non-critical applications over the last day as described in the daily log review procedures | Security administrator, security analyst, (if authorized) application administrator | · Record of reports being run on a log management tool. · Record of QSA approval for less frequent log reviews and reasons for such approval |
| (As needed) investigate the anomalous log entries as described in the investigative procedures | Security administrator, security analyst, (if authorized) application administrator | Recorded logbook entries for investigated events |
| (As needed) take actions as needed to mitigate, remediate or reconcile the results of the investigations | Security administrator, security analyst, (if authorized) application administrator, other parties | Recorded logbook entries for investigated events and taken actions |
Quarterly Tasks
The table below contains daily tasks, who performs them as well as what record or evidence is created of their execution:
| Task | Responsible Party | Evidence |
| Verify that all the system in scope for PCI are logging and that logs are being reviewed | Security analyst, security manager | Recorded logbook entries for review and exception follow-up |
| Review daily log review procedures | Security analyst, security manager | Updates to logging procedures; change log |
| Review log investigation procedures | Security analyst, security manager | Updates to logging procedures; change log |
| Review collected compliance evidence | Security analyst, security manager | Compliance evidence; evidence review log |
| Review compliance evidence collection procedures | Security analyst, security manager | Updates to procedures; change log |
Annual Tasks
The table below contains daily tasks, who performs them as well as what record or evidence is created of their execution:
| Task | Responsible Party | Evidence |
| Review logging and log review policy | CSO | Policy changes; change log; policy review meeting minutes |
| Review compliance evidence before the QSA assessment | PCI DSS compliance project owner | Meeting minutes or other record |
| Live tests with anomalies | As needed | Logs or other records of such tests |
To be continued.
Follow PCI_Log_Review to see all posts.
Possibly related posts:
- Incident Log Review Checklist
- All posts tagged PCI_Log_Review
