10.2.1.5 Audit logs capture all changes to identification and authentication credentials
Defined Approach Requirements
10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to:
- Creation of new accounts.
- Elevation of privileges.
- All changes, additions, or deletions to accounts with administrative access.
Customized Approach Objective
Records of all changes to identification and authentication credentials are captured.
Defined Approach Testing Procedures
10.2.1.5 Examine audit log configurations and log data to verify that changes to identification and authentication credentials are captured in accordance with all elements specified in this requirement.
Purpose
Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities.
Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account.
purpose
Log use of identification and authentication mechanisms.
compliance strategies
- Log all authentication events
- Monitor MFA usage
typical policies
- Authentication Logging Policy
common pitfalls
- No logs for MFA events
- Missed authentication anomalies
type
Technical Control
difficulty
Moderate
key risks
- Unauthorized access undetected
recommendations
- Integrate IAM and SIEM for event correlation
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy