PCI Requirement 10.2.2 – All Actions Taken by Any Individual with Root or Administrative Privileges

by Sarah Harvey / May 1st, 2018

Root or Administrative Privileges

Accounts that have root or administrative privileges have a greater chance of impacting the security and functionality of a system. This is why PCI Requirement 10.2.2 requires that organizations implement automated audit trails to reconstruct all actions taken by an individual with root or administrative privileges. Without logging mechanisms enabled, how could you trace issues resulting from misuse or root or administrative privileges?

To verify compliance with PCI Requirement 10.2.2, an assessor will observe audit logs and interview the responsible personnel to ensure that all actions taken by an individual with root or administrative privileges are being logged.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

Anytime anybody with administrative access or privileged access performs an action, those things need to be logged – whatever they’ve done needs to be logged. If there’s one reason why an individual should not be running around checking their email with administrative privileges, this might be it. From an administrative and logging perspective, what we recommend is that they might have two accounts. One for their normal administrative actions and then another account set aside for their normal online activities such as surfing the Internet or checking their email. But effectively, all actions taken by anybody with root or administrative privileges needs to be logged. Where we often find problems with PCI Requirement 10.2.2 is the logging of your changes or logging of your network. For example, if you log into a firewall or router, those are administrative actions that need to be logged. The assessor is going to be make sure that logging is enabled; they’re going to be looking for evidence that any time somebody does anything from an administrative perspective, those actions get logged.

[/av_toggle]

[/av_toggle_container]