PCI DSS 10.7 – Audit trail history retention

Audit trail history retention

Requirement 10 in general is around security logging configuration, log correlation / management, log analysis and log storage. You need to be able to show who was logged into a system at any given time, what they did on the system, and how they accessed it. This is done through auditing/logging. The easiest way to comply with requirement 10 is to setup a Security information and event management system (SIEM) to correlate security logs. There are various free and commercial SIEMs available such as:

– https://code.google.com/p/security-onion/
– https://www.splunk.com
– https://www.alienvault.com
– https://australia.emc.com/security/rsa-envision.htm
– https://logrhythm.com/
– https://www.mcafee.com/au/products/siem/index.aspx

Organisations should review the options and choose the best product based on their needs. Security logs should be configured in accordance with best practice and logs should be analysed daily. Some guidance on log settings is outlined below:
– http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
– http://www.sans.org/security-resources/idfaq/logging-windows.php
– http://www.govhealthit.com/sites/govhealthit.com/files/resource-media/pdf/elm_ _compliance_best_practices_govt_-_healthcare.pdf
– http://www.sans.org/reading-room/whitepapers/detection/logging-monitoring-detect-network-intrusions-compliance-violations-environment-33985
– http://www.linuxjournal.com/article/5476?page=0,0
– http://www.bhconsulting.ie/Best%20Practises%20for%20Log%20Management.pdf

10.7 specifically refers to log retention. In a small to medium sized enterprise this means taking regular backups of SIEM logs and stored them encrypted in a secure location. The last three months must be immediately available – i.e. not in an offsite storage location that would take a long time to restore.