Meeting PCI Requirement 10 with EventLog Analyzer's Predefined Report
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data.
PCI DSS Requirement 10 is one of the most important PCI DSS compliance requirements, as it directly addresses network security and access. This is of utmost importance to the IT Department. This requirement covers all user activities that have to do with network resources and cardholder data. Every activity on the network can be monitored and any compromise on security can be traced back to the exact cause with the help of system activity logs.
EventLog Analyzer's PCI Compliance Reports help your organization establish compliance to PCI DSS Requirement 10. With reports that sweep every access log on the network, and an interface that presents these reports in an easily interpretable fashion, EventLog Analyzer's reports make PCI DSS compliance a cake-walk.
- PCI DSS Requirement 10.1 - Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
- PCI DSS Requirement 10.2 - Implement automated assessment trails for all system components to reconstruct the following events:
- PCI DSS Requiremnt 10.5 - Secure assessment trails so they cannot be altered.
PCI DSS Requirement 10.1:
What Is It?
Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
What Needs To Be Done?
System components are crucial elements of the network, and any changes made the system components affects the entire network. Compliance to this Requirement will take care to record every access to system components, so any activity that resulted in an unfavorable change can be traced back to the particular user who effected the change by accessing the system component. This Requirement also lays extra-emphasis on accesses by administrative users, as any alterations made by an administrative user produce ramifications that that affect the network with great intensity.
How It Is Done:
To achieve compliance to this section, all the accesses to system components must be closely monitored and tracked. The activities of all users across the network across the network, and especially those of administrative users need to be kept under radars. With this data, the relevant information can be isolated, and compliance to PCI DSS Requirement 10.1 can be easily established.
To accomplish this, EventLog Analyzer present two reports:
The Report on Object Access enlists the users who accessed specific objects along with the details of the used credentials. This data, from a PCI DSS perspective, is useful as it contains the required information on object access. Filtering this report to display the users who accessed system components gives the information that you'll ultimately need to establish your compliance to this section of PCI DSS.
The Report on Individual Actions shows data from a different perspective - the activity of each user on the network. The report can be filtered to know the administrative users' activities on the network, and if they accessed system-level components. This report backs the data gathered from the previous report.
PCI DSS Requirement 10.2:
Implement automated assessment trails for all system components to reconstruct the following events:
What Needs To Be Done?
This Requirement serves to strengthen the blanket purpose of the parent requirement. While it's important to monitor and track all accesses to system components, it's a tedious process when done manually, and there's a marginal room for flaws. To circumvent these disadvantages, Requirement 10.2 talks about two conditions
- Automating the process of tracking the accesses.
- Being able to reconstruct the events as a proof of access.
This requirement has sub-sections that illustrate in clear detail, what needs to be done to achieve total compliance.
PCI DSS Requirement 10.2.1:
What Is It?
All individual user accesses to cardholder data.
What Needs To Be Done?
Needless to say, all user accesses to cardholder data must be closely monitored. To ensure that no data is missed because of human errors, it is also required that this process needs to be automated. Having in hand, all the information about all user accesses to cardholder data will ensure compliance to Requirement 10.2.1 of PCI DSS.
How It Is Done:
Achieving compliance to this requirement is as simple as the Requirement sounds: all the accesses, in terms of users who accessed the particular resource, have to be recorded, including the activities that they performed when they were logged in.
To give granular details that will help accomplish compliance to this requirement, EventLog Analyzer presents two reports:
The Report on Successful Logons shows the complete list of users who have successfully logged in to the network, with details like the username, the timestamp, and the resources they accessed. With all this information, it is easy to arrive at the list of all users who accessed secure areas of the network: an information manadated by PCI DSS Requirement 10.2.1
The Report on Individual Actions shows data from every user's perspective - the resourcess accessed. When the report is filtered further to show only the data on users who accessed sensitive resources of the network, this data can be used to accomplish compliance to PCI DSS Requirement 10.2.1.
PCI DSS Requirement 10.2.2:
What Is It?
All actions taken by any individual with root or administrative privileges.
What Needs To Be Done?
Administrative users hold the keys to vital information on the network. They have the powers to take action with the highest privileges on the most sensitive areas of the network. To make sure that all no serious damage has been inflicted on the cardholder data by administrative users, and in turn, to ensure compliance to PCI DSS, it is mandated that all the actions taken by any user with administrative privileges must be tracked.
How It Is Done:
Your organization can be proved compliant to this Requirement if all the activities carried out by administrative users are recorded in the minutest of detail. This includes but does not limit the data to the username, the accessed area of the resource, the changes and the activities during that time, the time that the user spent and there the changes and the activities during that time.
EventLog Analyzer comes prepackaged with Individual User Action Report that can help achieve compliance to this particular requirement. This report lists out all the activities carried out by each user with their login credentials. Filtering the data in the report to give information only on administrative users, and further narrowing in down to show only the accesses to critical areas that store cardholder data, the information necessary to establish compliance to PCI DSS Section 10.2.2 can be extracted.
PCI DSS Requirement 10.2.4:
What Is It?
Invalid Logical Access Attempts
What Needs To Be Done?
Whatever be the resource, be it simple and ordinary ones, or critical ones like cardholder data, all users need to log in to the network to access the resource. A succesful logon shows that the user has smoothly and effortlessly loged in to the network. However, an invalid logon attempt, while not in all cases, can also be a sign of attempted illegitimate access to sensitive areas of the network. Tracking such activities will keep some imminent threats at bay. It is also important to keep a trend-check on such activities, if there's any particular user who is more vulnerable, and if the activities take place only at specific times.
How It Is Done:
As demanded by this Requirement, all the invalid access attempts need to be recorded, and this process has to be automated to avoid possibilities of human errors. Further, information on both successful and unsuccessful logon will help validate the data, as both events are mutually exclusive.
To give all the above mentioned details that will help accomplish compliance to this requirement, EventLog Analyzer presents two reports:
The Report on Logon Attempts lists out all the logon activities on the network, and the unsuccessful logon attempts can be isolated from that data. Exploring further in to this report will give details as to which user name was used at which particular time to unsuccessfully access the network resources.
The Report on Successful Logons shows the complete list of users who have successfully logged in to the network, with details like the username, the timestamp, and the resources they accessed. This information will give details that will help validate the data against the Logon Attempts Report. This will further strengthen your compliance to PCS DSS Requirement. 10.2.4.
PCI DSS Requirement 10.2.6:
What Is It?
Initialization of Assessment Logs
What Needs To Be Done?
Assessment Logs are standing evidences of any activity on the network, and the information contained in those logs are of crucial importance when it comes to tracking administrative activities on sensitive resources. Clearing the audit logs will forever destroy the evidences of any accesses whatsoever. Therefore it is necessary to keep track of audit log clearings, and a user has to be accountable for every assessment log clearing. Also, it has to be ensured that not every person has powers to perform this sensitive task; the powers have to be confined to the cream of administrative personnel on the network.
How It Is Done:
Having in place, a process that will automatically record all the data related to every single assessment log clearing. The data has to be complete with the username and the timestamp.
EventLog Analyzer has an out-of-the-box report that specifically caters to this Requirement: The Report on Audit Logs Cleared. This report lists out the users who cleared the audit logs, and also the time stamp of that particular event. The information that this report provides is useful in establishing your organization's compliance to PCS DSS Requirement 10.2.6
PCI DSS Requirement 10.2.7:
What Is It?
Creation and Deletion of System Level Objects
What Needs To Be Done?
System Level Objects are conceptual entities that control the functioning of the system and the network. While it is necessary that all accesses to system level objects need to be monitored, vital tasks like creation and deletion of such objects require an extra attention. Considering the importance of system level objects from a PCI DSS point of view, it is required that access to such entities must be restricted and the activities of those whi access such objects must be closely monitired.
How It Is Done:
The outright method to make sure none of the activities escape vigilance, is to log every activity on system level objects, with all necessary data, like the user who accessed such objects, the privileges of the user, and the timestamp. All this data can be drilled down further to investigate precisely, if there has been any creation or deletion of system level objects.
EventLog Analyzer houses the Object Access Report that will come in handy in this respect. This object access report enlists all the objects on the network, and the users who accessed them. A more granular detail on this report will show the exact activity of each user. Isolating only the system level objects on the report, and obtaining the activities on those objects, the necessary data required to prove compliance to PCI DSS Requirement 10.2.7 can be isolated.
PCI DSS Requirement 10.5:
Secure assessment trails so they cannot be altered.
Assessment Trails are standing and conclusive evidences of any active on a log-based infrastructure. Altering the logs would mean that the basic proofs of accesses and activities on the network is lost forever. It is a serious loop-hole from a security point of view, as any change in the assessment trails renders security breaches untraceable. Looking at it from a PCI DSS perspective and in the interest of cardholder data, a change in the assessment trails would mean that any person who has tampered with the cardholder data can slip away unnoticed. Therefore, to secure cardholder data, and the ease tracking of all activities, PCI DSS mandates that no assessment trail should be altered. Requirement 10.5 of PCI DSS talks about this in two levels:
- Restricted Viewing of Assessment Trails
- Protecting Assessment Trails from Unauthorized Access
These Requirements are dealt with in sub-sections of Requirement 10.5
PCI DSS Requirement 10.5.1:
What Is It?
Limit viewing of assessment trails to those with a job-related need.
What Needs To Be Done?
Assessment Logs, as mentioned time and again, are important objects in the network where all activities are vaulted in safety. Considering the vital information it holds, PCI DSS demands that the access to even view those files is restricted to certain administrative users who have a job-related need. This will ensure highest levels of security to the assessment trails and will also narrow down the spectrum of users who would be responsible for any mishaps.
How It Is Done:
While there might be permissions and other access control methods that draw the constitution of who can and who cannot access the assessment trails, it is equally important that it is provable to the auditors that such a system exists.
EventLog Analyzer, with its Object Access Reportreport on Audit Logs Cleared can help you prove your organizatin's compliance to PCI DSS. This report will provide data on the users who have access to the Assessment Trails, and correlating the data with your organization's access control policies, it will be provable to the auditors that only those who have a job-related requirement have been granted access to the assessment trails, and that no one else has accessed there resource.
PCI DSS Requirement 10.5.2:
What Is It?
Protect Assessment Trail Files from Unauthorized Modifications
What Needs To Be Done?
This Requirement is an extension of the previous one - while Requirement 10.5.1 talks about viewing the assessment trails, this one extends the limits to unauthorized modifications. This report seals-off any possible security threats that might approach the assessment trails. As an extension to Requirement 10.5.1, this requirement goes on to secure the assessment trails further from those who are allowed to view it.
How It Is Done:
Compliance to this section can be established in two stages. This first stage is to prove that no unauthorized person has accessed the assessment trails, so one can be sure that no changes have been effected. The second is to prove that any user who accessed the assessment trails is authorized to do so, even in case of any new users who've been given the privilege.
To give all the above mentioned details that will help accomplish compliance to this requirement, EventLog Analyzer presents two reports:
The Report on Object Access, as seen many a time before, will give details on the users who accessed network objects. By filtering it down to who users who accesses the assessment trails, the list necessary to prove compliance to PCI DSS Section 10.5.2 can be obtained.
The Report on Audit Policy Changes shows if any new user has been authorized to access the assessment log data. This report will help validate any new entries on the object access report.
With this many comprehensive reports that precisely address PCI DSS Requirement 10 compliance, establishing your organization's compliance is just a few clicks away!
Complying with PCI DSS made easy like never before.