10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.
Defined Approach Requirements
10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.
Customized Approach Objective
Stored activity records cannot be modified without an alert being generated.
Defined Approach Testing Procedures
10.3.4 Examine system settings, monitored files, and results from monitoring activities to verify the use of file integrity monitoring or change-detection software on audit logs.
Purpose
File integrity monitoring or change-detection systems check for changes to critical files and notify when such changes are identified. For file integrity monitoring purposes, an entity usually monitors files that do not regularly change, but when changed, indicate a possible compromise.
Good Practice
Software used to monitor changes to audit logs should be configured to provide alerts when existing log data or files are changed or deleted. However, new log data being added to an audit log should not generate an alert.
purpose
Promptly back up audit logs to a centralized log server or media that is difficult to alter.
compliance strategies
- Automated log forwarding
- Central SIEM solutions
typical policies
- Log Backup Policy
common pitfalls
- Delayed log backups
- Logs only stored locally
type
Technical Control
difficulty
Moderate
key risks
- Loss of logs in case of incident
recommendations
- Automate log shipping to secure central storage
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy