Once an organization has completed log review, they must follow up exceptions and anomalies identified during the review process. The purpose of PCI Requirement 10.6.3 is a little obvious, right? If exceptions and anomalies are not investigated, then what’s the point of the log review process? The follow up process helps make organizations aware of unauthorized activities occurring in their network.
During an assessment, policies and procedures and risk assessment documentation will be examined to verify that follow up is happening on exemptions and anomalies identified during the review process.
PCI Requirement 10.6.3 talks about the need to follow up to any anomaly. Anytime that you have a log, you should set up alarms and mailings that identify an anomaly. Your assessors, from a technology perspective, should look at how you are alerted that that there’s an anomaly within your environment. They’ll also be looking for specific evidence that you’ve followed up to these specific incidents within your environment. It’s not enough to just log these events; it’s also required that you follow up and take appropriate actions to any of these incidents that might be impacting to your cardholder data environment.