Monitoring Mechanisms in Incident Response Plans
PCI Requirement 12.10.5 states that your incident response plan should, “Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.” We’ve talked about these monitoring mechanisms in PCI Requirement 10 and PCI Requirement 11, but what do they have to do with incident response? The PCI DSS explains, “These monitoring systems are designed to focus on potential risk to data, are critical in taking quick action to prevent a breach, and must be included in the incident-response processes.”
Back in PCI Requirement 10, we talked about logging, log review, and responding to anomalies. Understand that everything that shows up in a log is an event, but it isn’t an incident. It’s not an incident until such a time that your organization has triaged that event and defined that there is something that needs to be reacted to.
Your incident response plan needs to include the file integrity monitoring, your IPS/IDS, and all of those things that you’re capturing logs from. It’s not sufficient enough to have these systems creating these logs. We have to be reviewing these logs and including the log review process. When we identify that this event is now an incident in terms of what needs to be done next, that information is specifically called out in your incident response plan.