11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:

Defined Approach Requirements

11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:

• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
• To perform critical file comparisons at least once weekly.

Defined Approach Testing Procedures

11.5.2.a Examine system settings, monitored files, and results from monitoring activities to verify the use of a change-detection mechanism.

11.5.2.b Examine settings for the change-detection mechanism to verify it is configured in accordance with all elements specified in this requirement.

Customized Approach Objective

Critical files cannot be modified by unauthorized personnel without an alert being generated.

Applicability Notes

For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

Purpose

Changes to critical system, configuration, or content files can be an indicator an attacker has accessed an organization's system. Such changes can allow an attacker to take additional malicious actions, access cardholder data, and/or conduct activities without detection or record.

A change detection mechanism will detect and evaluate such changes to critical files and generate alerts that can be responded to following defined processes so that personnel can take appropriate actions.

Good Practice

Examples of the types of files that should be monitored include, but are not limited to:

• System executables.
• Application executables.
• Configuration and parameter files.
• Centrally stored, historical, or archived audit logs.
• Additional critical files determined by entity (for example, through risk assessment or other means).

Examples

Change-detection solutions such as file integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected.