Auditor Tips: Requirement 10: Audit Logs and Log Monitoring

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.

It’s critical that you configure the log monitoring solution correctly so that the appropriate directories, files, security controls, and events are being monitored. Given the large amount of log data generated by systems, it can be time intensive to manually analyze logs (and automated mechanisms to perform audit log reviews will need to be implemented for PCI DSS v4.0).

You likely need SIEM tools to sift through logs and drill down into problems. In the past, SIEM systems were mainly utilized by large corporations, but solutions for smaller companies are now available.

Organizations often struggle with good log review processes. Using SIEM tools can enable you to have real-time alerting to help you recognize a current attack and initiate your incident response plan.

Regular log monitoring means a quicker response time to security events and improved security program effectiveness.

It is a good idea to test your alerting capabilities as part of your incident response test to ensure alerts are being generated and critical systems and applications are being appropriately monitored.

To correlate events over multiple systems you must synchronize system times. All systems should get their system time from internal time servers, which in turn receive time from a trusted external source.

PCI DSS requires service providers to implement a process to detect and respond to failures of critical security controls in a timely manner. You need to be able to detect these failures and have defined incident responses in place. Your response plans not only need to address the response to fix the problem, but they should also identify risks created by the failure, find root causes, document lessons learned, and implement any necessary changes to prevent failures from happening again.

‍