PCI Requirement 10.6.2 – Review Logs of All Other System Components Periodically Based on the Organization’s Policies and Risk Management Strategy
How to Prioritize Log Review
PCI Requirement 10.6.1 requires daily review of logs of system components that store, process, or transmit cardholder data, logs of all critical system components, and logs of all servers and system components that perform security functions. But what about all other system components? PCI Requirement 10.6.2 addresses this and requires that organizations review logs of all other system components periodically based on the organization’s policies and risk management strategy. PCI Requirement 10.6.2 allows you to prioritize your log review program and apply log review in an appropriate way.
How do you determine what are “all other” system components? Based on your organization’s annual risk assessment, you’ll be able to determine which logs should reviewed on a periodic basis. For example, if you have a receptionist’s workstation that is in scope because of connectivity and a database that has millions of credit card numbers, you’re going to want to prioritize reviewing database logs. Going through an annual risk assessment will help determine which components should or should not be prioritized for log review.
PCI Requirement 10.6.2 is another one of these requirements that is new to the standard. What it says is that you can review all other logs on a periodic basis. We go back to PCI Requirement 6.1, and the requirements there talk about reviewing the logs for all systems that store, process, transmit, and provide security services. One of the things that it allows you to do is to prioritize your log review program. For example, if you have an administrator that has access to a database, you’re going to want to look at that database logs pretty much every day. But if you have a receptionist whose work station is in scope just because of connectivity, are you going to want to spend the same level of diligence around the receptionist’s desktop as you do the database that might contain a million credit card numbers? Probably not. So, PCI Requirement 10.6.2 recognizes that and it allows you to apply your log review resources in the most appropriate way. If you as an organization are going to be looking at these other logs on a periodic basis, you’ll need to do a risk analysis to define when and how often we’re going to be reviewing these and, once again, make sure that where there’s items identified, you’re following up with those as appropriate.