10.4.3 Exceptions and anomalies identified during the review process are addressed.
Defined Approach Requirements
10.4.3 Exceptions and anomalies identified during the review process are addressed.
Customized Approach Objective
Suspicious or anomalous activities are addressed.
Applicability Notes
Defined Approach Testing Procedures
10.4.3.a Examine security policies and procedures to verify that processes are defined for addressing exceptions and anomalies identified during the review process.
10.4.3.b Observe processes and interview personnel to verify that, when exceptions and anomalies are identified, they are addressed.
Purpose
If exceptions and anomalies identified during the log-review process are not investigated, the entity may be unaware of unauthorized and potentially malicious activities occurring within their network.
Good Practice
Entities should consider how to address the following when developing their processes for defining and managing exceptions and anomalies:
- How log review activities are recorded,
- How to rank and prioritize exceptions and anomalies,
- What procedures should be in place to report and escalate exceptions and anomalies, and
- Who is responsible for investigating and for any remediation tasks.
purpose
Document and retain evidence of log reviews and follow-up actions.
compliance strategies
- Log review tracking
- Audit trails for follow-up
typical policies
- Log Review Documentation Policy
common pitfalls
- No evidence of review
- Missing follow-up records
type
Documentation/Process Control
difficulty
Low
key risks
- Inability to demonstrate compliance or investigation
recommendations
- Maintain review logs and tickets
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy