1 minute read
3.11 Requirement 11: Regularly test security systems and processes
• Unusual patterns of activity, for example, late at night • Changes to system settings • Suspicious network activity
Audit logging is required to detect and report on the following types of events: • User identification • Dates and times of key events, for example, log on/log off • Success and failure in system access attempts • Success and failure in data and other resource access attempts (i.e. cardholder data) • Changes to system parameters and configurations • Use of system utilities and applications • Actions taken by users with administrative privileges A time synchronization mechanism needs to be in place to ensure all systems are synced with an industry-accepted time source. This means that, when reviewing logs, the correct time and date of an event is shown, regardless of the device involved. Finally, it is required that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.
Relevant Toolkit Documents
• Technical Vulnerability Management Policy • Network Security Policy • CDE Asset Inventory Database • Security Incident Response Procedure • Risk Assessment and Mitigation Process • Risk Mitigation Plan • Change Management Process • Procedure for Monitoring the Use of IT Systems • Information Security Policy
One of the best ways to ensure the organization’s security controls are enough is to perform regular vulnerability testing. This requirement ensures that testing is completed frequently, and against industry-known best practices. Testing is broken down into several areas below and PCI DSS requires each test to be completed at certain times annually. Areas to be tested include:
• Internal and external vulnerability scans – to be completed at least quarterly by an approved scanning vendor (a list of these can be found on the PCI DSS website) • External penetration scan at least annually or after any significant change that could affect the CDE