The PCI standard goes on to say that companies should “review logs for all system components at least daily,” and the review should include servers that handle intrusion detection, authentication, authorization and accounting. The interesting thing is that, in the mind of many retailers, “review logs daily” does not mean that a person would be poring through the logs every single day. An automated system can do this just as well, and in fact better. In case of such “automated review,” alerts would be generated in case traces of malicious, suspicious or fraudulent activity are seen in logs. At the same time, a human analyst might review reports and alerts that highlight such activity as needed.
In addition, PCI specifies that “an audit trail should be retained for a period consistent with its effective use, as well as legal regulations,” and that the “audit history usually covers a period of a t least one year, with a minimum of 3 months available online.” Thus there are also log data retention (and the corresponding log data destruction requirements!) requirements.
One should not that log data is implicitly present in many other PCI requirements, not only the directly relevant Requirement 10. For instance, just about every claim that is made to satisfy the requirements, such as data encryption or anti-virus updates, requires log files to actually substantiate it. So, even the requirement to “use and regularly update anti-virus software” will likely generate requires for log data during the audit, since the information is present in anti-virus audit logs. It is also well-known that failed anti-virus updates, also reflected in logs, expose the company the malware risks, since anti-virus without the latest signature updates only creates a false sense of security and undermine the compliance effort.
Similarly, the requirement to “establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations” is unthinkable to satisfy without effective collection and timely review of log data.
Thus, logs value to PCI program goes much beyond Requirement 10. Only through careful log data collection and management can companies meet the broad requirements of PCI. Such detailed log data management requires embedded intelligence in the log management solution to make the data secure, accessible and easy to organize and to automate many of the required tasks, such as monitoring, analysis and retention.
LMI for PCI Compliance
A comprehensive LMI solution that can collect, aggregate and centrally store all data from these network entities is essential to meet the goals of the PCI standard. LMI enables satisfying the audit, monitoring, data protection, log data collection and retention, identity access and change management cited in PCI requirement documents.
Let’s look at some of the above requirements in more detail.