Requirement 10: Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical. Effective logging and auditing mechanisms across all in-scope systems and applications helps ensure thorough tracking and analysis when troubleshooting or forensic investigation is required. Determining the root cause of a system or data compromise is difficult or impossible without appropriate system activity logs.
The following table lists the specific sub-requirements in Requirement 10 that are addressed by TIBCO LogLogic® Compliance Suite - PCI Edition.
| Requirement 10 | Track and monitor al aces to network resources
and cardholder data |
|---|---|
| 10.1 | Establish a process for linking all access to system components (especially those done with administrative privileges such as root) to each individual user |
| 10.2.1 | Implement automated audit trails for all system components to reconstruct the following events:
All individual user accesses to cardholder data |
| 10.2.2 | Implement automated audit trails for all system components to reconstruct the following events:
All actions taken by any individual with root or administrative privileges |
| 10.2.3 | Implement automated audit trails for all system components to reconstruct the following events:
Access to all audit trails |
| 10.2.4 | Implement automated audit trails for all system components to reconstruct the following events:
Invalid logical access attempts |
| 10.2.5 | Implement automated audit trails for all system components to reconstruct the following events:
Use of identification and authentication mechanisms |
| 10.2.6 | Implement automated audit trails for all system components to reconstruct the following events:
Initialization of the audit logs |
| 10.2.7 | Implement automated audit trails for all system components to reconstruct the following events:
Creation and deletion of system-level objects |
| 10.3.1 | Record at least the following audit trail entries for all system components for each event:
User identification |
| 10.3.2 | Record at least the following audit trail entries for all system components for each event:
Type of event |
| 10.3.3 | Record at least the following audit trail entries for all system components for each event:
Date and time |
| 10.3.4 | Record at least the following audit trail entries for all system components for each event:
Success or failure indication |
| 10.3.5 | Record at least the following audit trail entries for all system components for each event:
Origination of event |
| 10.3.6 | Record at least the following audit trail entries for all system components for each event:
Identity or name of affected data, system component, or resource |
| 10.5.1 | Limit viewing of audit trails to those with a job-related need |
| 10.5.2 | Protect audit trail files from unauthorized modifications |
| 10.5.3 | Promptly back up audit trail files to a centralized log server or media that is difficult to alter |
| 10.5 | Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) |
| 10.6 | Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). (Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6) |
| 10.7 | Retain audit trail history for at least one year, with a minimum of three months available online |
| 10.8 | Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. Update:v3.0 November 2013. |