Complete PCI DSS Log Review Procedures Part 12

Friday, January 28, 2011

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

This is the twelfth post in the long, long series (part 1, part 2, part 3, part 4, part 5, part 6, part 7, part 8, Part 9, part 10, part 11). A few tips on how you can use it in your organization can be found in Part 1. You can also retain me to customize or adapt it to your needs.

And so we continue with our Complete PCI DSS Log Review Procedures (please read in order- at this point we are pretty deep in the details and this piece might look out of context):

Validation of Log Review

Final and critical part of compliance-motivated log review is making sure that there is sufficient evidence of the process, its real-world implementation and diligence in following the log review process.

The good news here is that the same data can be used for management reporting about the logging and log review processes, so you are not doing just for PCI DSS compliance.

Let’s determine what documentation should be produced as proof of log review.

First, the common misconception is that having the actual logs provides that. That is not really true: ”having logs” and “having logs reviewed” are completely different and sometime years of maturing the security and compliance program separates one and the other. Please make sure that your team members keep that in mind.

Just as a reminder, we have several major pieces that we need to prove for PCI DSS compliance validation. Here is the master-list of all compliance proof we will assemble. Unlike other sections, here we will cover proof of logging and not just proof of log review since the latter is so dependent on the former:

· Presence and adequacy of logging
· Presence of log review processes and its implementation
· Exception handling process and its implementation.

Now we can organize the proof around those areas and then build processes to collect such proof.

Proof of Logging

The first category is: proof of presence and adequacy of logging. This section is the easiest to prove out of the three.

The following items serve as proof of logging:

1. Documented logging policy, covering both logged events and details logged for each event

2. System / application configuration files implementing the above policy

3. Logs produced by the above applications while following the policy.

As stated previously, your QSA is the ultimate judge of what proof of compliance will be adequate for your organization. These tips has been known to be found adequate, but see disclaimers in earlier parts for details.

Proof of Log Review

The second category: proof of log review processes and its implementation. This section is harder to prove compared to the previous one.

The following items serve as proof of log review:

1. Documented logging policy, covering log review

2. Documented operational procedures, detailing the exact steps taken to review the logs

3. Records of log review tasks being executed by the appropriate personnel (some log management products create an audit log of reviewed reports and events; such audit trail should cover it – the case of manual review is covered below) – think about this item as “log review log”

4. Also, records of exceptions being investigated (next section) indirectly proves that log review is taken place as well.

Proof of Exception Handling

The third category: proof of exception handling process and its implementation. This section is by far the hardest to prove out of these three.

The following items serve as proof of log exception process:

1. Documented logging policy, covering exceptions and their handling

2. Documented operational procedures, detailing the exact steps taken to investigate exceptions found during log review (this document)

3. A log of all exceptions investigated with actions taken (“logbook”)

The above evidence should provide ample proof that the organization follows PCI DSS guidance with diligence. Let’s focus on producing this proof – the table has the details.

PCI 12

These items directly map to PCI DSS Requirements 10 and PCI DSS validation procedures.

The critical item from the above list is “a logbook” that is used to record exception follow-up and investigation, thus creating powerful evidence of compliance with PCI DSS requirements.

In a more advanced form, the logbook can even grow into an investigative “knowledge base” that contains all past exception analysis cases.

Cross-posted from Security Warrior

Possibly Related Articles:
13643
PCI DSS
PCI DSS Compliance Log Management Security Audits QSA Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.