10.4.1 The following audit logs are reviewed at least once daily:

Defined Approach Requirements

10.4.1 The following audit logs are reviewed at least once daily:

• All security events.
• Logs of all system components that store, process, or transmit CHD and/or SAD.
• Logs of all critical system components.
• Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).

Customized Approach Objective

Potentially suspicious or anomalous activities are quickly identified to minimize impact.

Defined Approach Testing Procedures

10.4.1.a Examine security policies and procedures to verify that processes are defined for reviewing all elements specified in this requirement at least once daily.

10.4.1.b Observe processes and interview personnel to verify that all elements specified in this requirement are reviewed at least once daily.

Purpose

Many breaches occur months before being detected. Regular log reviews mean incidents can be quickly identified and proactively addressed.

Good Practice

Checking logs daily (7 days a week, 365 days a year, including holidays) minimizes the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.

Daily review of security events—for example, notifications or alerts that identify suspicious or anomalous activities—as well as logs from critical system components, and logs from systems that perform security functions, such as firewalls, IDS/IPS, file integrity monitoring (FIM) systems, etc., is necessary to identify potential issues.

The determination of "security event" will vary for each organization and may include consideration for the type of technology, location, and function of the device. Organizations may also wish to maintain a baseline of "normal" traffic to help identify anomalous behavior.

An entity that uses third-party service providers to perform log review services is responsible to provide context about the entity's environment to the service providers, so it understands the entity's environment, has a baseline of "normal" traffic for the entity, and can detect potential security issues and provide accurate exceptions and anomaly notifications.

Sub-Requirements

• 10.4.1.1 Automated mechanisms are used to perform audit log reviews.