10.7.3 Failures of any critical security control systems are responded to promptly

Defined Approach Requirements

10.7.3 Failures of any critical security control systems are responded to promptly, including but not limited to:

• Restoring security functions.
• Identifying and documenting the duration (date and time from start to end) of the security failure.
• Identifying and documenting the cause(s) of failure and documenting required remediation.
• Identifying and addressing any security issues that arose during the failure.
• Determining whether further actions are required as a result of the security failure.
• Implementing controls to prevent the cause of failure from reoccurring.
• Resuming monitoring of security controls.

Customized Approach Objective

Failures of critical security control systems are analyzed, contained, and resolved, and security controls restored to minimize impact. Resulting security issues are addressed, and measures taken to prevent reoccurrence.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider until 31 March 2025, after which this requirement will apply to all entities.

This is a current v3.2.1 requirement that applies to service providers only. However, this requirement is a best practice for all other entities until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

10.7.3.a Examine documentation and interview personnel to verify that processes are defined and implemented to respond to a failure of any critical security control system and include at least all elements specified in this requirement.

10.7.3.b Examine records to verify that failures of critical security control systems are documented to include:

• Identification of cause(s) of the failure.
• Duration (date and time start and end) of the security failure.
• Details of the remediation required to address the root cause.

Purpose

If alerts from failures of critical security control systems are not responded to quickly and effectively, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment.

Good Practice

Documented evidence (for example, records within a problem management system) should provide support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence.

Further Information

Refer to industry standards and the PCI DSS standard for further information on requirement 10.7.3.