Examine Audit Trails
PCI Requirement 10.2.3 requires that organizations implement automated audit trails to reconstruct access to audit trails. What’s the purpose of this? Guidance for PCI Requirement 10.2.3 states, “Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel.”
From an assessment perspective, an assessor will need to interview responsible personnel and examine audit trails to ensure that access to all audit trails is logged.
If somebody accesses the audit logs, whether this be the logs being stored in a native file perspective or the logs residing over in some type of central logging server (some type of CLS). Anytime anyone accesses logs is a means to create a log. From an assessment perspective, we’re going to ask to see logs when somebody’s accessed these.