Complete PCI DSS Log Review Procedures Part 15

Tuesday, February 22, 2011

Anton Chuvakin


This is the fifteenth post in the long, long series (part 1, part 2, part 3, part 4, part 5, part 6, part 7, part 8, Part 9, part 10, part 11, part 12, part 13, part 14). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.

PCI Compliance Evidence Package

Finally, it is useful to create a “PCI Compliance Evidence Package” based on the established and implemented procedures to show it to the QSA. It will help establish your compliance with three key of PCI DSS logging requirements:

· Presence and adequacy of logging

· Log review

· Exception handling

While it is possible to prepare the evidence package before the assessment, it is much easier to maintain it on the ongoing basis. For example, keep printed or electronic copies of the following:

1. Logging policy that covers all of the PCI DSS in-scope systems

2. Logging and log review procedures (this document)

3. List of log sources – all systems and their components (applications) from the in-scope environment

4. Sampling of configuration files that indicate that logging is configured according to the policy (e.g. /etc/syslog.conf for Unix, screenshots of audit policy for Windows, etc)

5. Sampling of logs from in-scope systems that indicate that logs are being generated according to the policy and satisfy PCI DSS logging requirements

6. Exported or printed report from a log management tools that shows that log reviews are taking place

7. Up-to-date logbook defined above

This will allow always establishing compliant status and proving ongoing compliance.

Cross-posted from Security Warrior

Possibly Related Articles:
PCI DSS Compliance Log Management Security Audits Event Logging
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.