PCI Requirement 10.2.6 – Initialization, Stopping, or Pausing of the Audit Logs

PCI Requirement 10.2.6 – Initialization, Stopping, or Pausing of the Audit Logs

What Does the Initialization, Stopping, or Pausing of Audit Logs Indicate?

Stopping or pausing audit logs prior to performing malicious activities is a common practice for users hoping to avoid detection, and initialization of audit logs could indicate that the log function was disabled by a user. This is why PCI Requirement 10.2.6 requires that audit trails can reconstruct the initialization, stopping, or pausing of audit logs.

To demonstrate compliance with PCI Requirement 10.2.6, an organization will show an assessor evidence of audit logs for the initialization, stopping, or pausing of audit logs.

Video Transcript

The next requirement around logging is that anytime the operations system or an application should stop the logging or the logs, or if the logging mechanism starts, we need to see a log of that. The reason for that can be understood from a hacker’s perspective. If Hacker Joe was in your environment, one of the things that he’s going to try to do is to hide his actions by shutting off the logs. So once again, anytime that the logs are stopped or the logs are starting, we’re going to look to see that particular event is logged.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *