PCI "Daily Review" Reports?
I'm new to this forum, so I apologize is this has been covered, but I was unable to find anything via a search.
I am looking for some guidance on what reports organizations are using to satisfy the PCI "Daily log review" requirement. I have gone through the canned PCI reports and found most of them add very little value...in fact many are missing some critical fields that I have been adding to custom reports. We will be experiencing our first PCI audit in the coming months and I am just trying to understand specifically what others are viewing to satisfy this requirement. I can come up with lots of useful reports from a security standpoint, but the reality is that the sheer volume will prohibit effective remediation, so I am planning a phased approach to those: my immediate goal is compliance, security will take time.
Sorry for the long winded description and thanks in advance for any help/advice you can offer.
I too am new to the forum and recently inherited enVision from an employee who "decided to pursue opportunities elsewhere." Anyway, one thing that I am responsible for is reviewing daily PCI reports. Our PCI reports (in the general sense) consist of the following daily reports:
2. Operating System reports (Unix/Windows)
3. PCI-related application reports
Because I am new to enVision, I am not 100% sure that these are the "canned" reports – they do not look like it, but rather, modifications of canned reports customized to our organization.
The reports are scheduled (and archived) and are sent via email to the key stakeholders for review. So far, we have satisfied PCI audit requirements. (We are a Fortune 500 bank with over 25,000 employees and one are of the largest credit card processors in the United States).
Thanks for the response.
I also inherited this. I am currently taking the approach of focusing on compliance only, meaning I am customizing and/or creating reports to demonstrate we are collecting the events we are supposed to collect, then alerting of that stops for any reason. Aside from that, I am generating alerts for some PCI policy violations, such as interactive login for a shared account (like "root"), which we are not supposed to use unless absolutely necessary.
I just wish there just there were some kind of enumerated list of what the auditors expect as part of the daily review. I have lots of ideas for things we should, and will over time, look at, but we simply will not be at that point for at least a year.
Anyways, Thanks again!
One tool that I've used for other compliance measures is a complaince matrix. A decent one can be found here:
http://www.compliancehome.com/symantec/ (at the bottom of the page)
Compliance Matrix Poster for IT & Compliance Professionals
This matrix poster outlines IT Controls for security and privacy concerns related to regulatory compliance in the workplace. Topics addressed in this poster include:
Payment Card Industry (PCI)
NERC standards CIP
I also found a very helpful matrix on these forums that detailed the canned enVision reports to particular controls. You would have to map the report matrix controls to the controls on the poster for PCI. That would give you insight as to what auditors are looking for...or at least what you'll be audited against.
The report matrix was found in the Report forum, if I recall correctly. Maybe someone with more enVision experience can chime in on how to get you what you're looking for.
I agree, an enumerated list would be kick butt!!! Good luck.
1.) The default canned reports are written for a broad spectrum, you will always have to tweak or customize your reports for YOUR environment and YOUR auditor’s expectations.
2.) Remember to identify your assets first then create groups based of those assets and run reports only against those assets (performance best practices)
3.) To force compliance of review, when you set the output of the report, send link or send reminder when done via SMTP, (Don’t include attachment). This forces users to log in to review reports. Guess what? In the NIC_Audit table you can see all user actions (3.7 and above its very detailed). I.E. there is an event when you view your respective reports. Thus, giving you a full compliance of auditing reviewing of reports/data. This report can be easily built leveraging the NIC_Audit table.
4.) EnVision can be used as compensating controls to many other PCI sections aside from the ones listed in the marketing materials. Obviously I hence was compensating control.
Obviously doing you due diligence and mapping various reports to your PCI DSS would be an essential item before going to the ladder path.
Then the last comment obviously a plug, you can contact your account rep to have them discuss with you RSA’s compliance solutions and what they can assist you with as well. Cheers!
Good morning Dave,
Thanks for the response!
1.) I completely understand this, however I have found that many of the canned reports do not even contain the PCI required fields. PCI, as with other regulations, is generally not very explicit, however with regards to the information contained in logs (which I take to mean should also be contained in reports) it is very explicit. Yes I expected to have to tweak them but I am finding it necessary to completely rewrite them. As for MY auditor's expectations, well they are as clear and explicit as the requirements themselves!
2.) Absolutely agree, makes life easier on a number of levels.
3.) I was told by my RSA resources that the application could not actually do this, it could tell me a user logged in, but not what they had viewed. Consequently we pursued using our ticketing solution to provide this audit trail. Not a huge deal, but this is a "nice to have" feature.
4.) I'd love to see a detailed list of these alternate uses. We have identified a couple ourselves, but keeping a running list would certainly help myself and other customers. I am not sure what "Obviously I hence was compensating control." means.
I have certainly been taking the approach of mapping reports to PCI DSS. I believe this will eventually get me what we need, but I do wish this was better supported by RSA. What is the "ladder path"?
Again, I appreciate your response and your help.
Hello Adam -
Couple of key thoughts regarding your objectives:
1.) Not sure if your expecting everything to be perfectly laid out, which is not the case. Tuning reports is a fact of life. If you feel you need to re-write them to change tables such as Global to Windows accounting or something, certinely it will buy you more as remember, these are just canned reports. High level reports at that. Any Audit will require much more and reports tweaked to your enviornment. I will take your remarks and make note of them as maybe more enhanced reports is what your seeking. But please agree with me that the data is there and you have the ability to create them.In other audits I have been apart of, Big 4, C&C PWC, we have created near 40-50 reports just for enVision requirements.
2.) We will take this information off line and discuss these matters
3.) This was a new feature in 3.7 as it includes more robust logging featuers in the application. Also it is certinely there and available to you inside the NIC_Audit table. Could you contact your resources on-site as the report is already built
4.) PCI DSS 6.4 Change Control Procedures. Leverage EnVision to monitor for Firewall config changes for example. Any WR MEM issued to FW report on as it should only happen during the allowed change windows, report on this for a compensating control to prove compliance. "Example". This is compensating control as you still have to document your procedures, back out policies, etc.. for the rest of 6.4
1.) I do agree the data is there, and yes I do know and understand that tuning is a fact of life. I was just expecting more in terms of "what else" we should be reporting/reviewing. I too am nearing the 40-50 report count. I suppose some of my frustration is just due to my inexperience with the product, but I expected more out of the box in this area.
2.) Agreed, this is not the time or the place for that discussion. I have raised the issues with my account rep, and will continue to do so.
3.) I will look into this, but as I said we are now set up to leverage our ticketing system to provide the audit trail.
4.) Good example! It would be nice to see such examples written up and available to customers. Just a thought. Not asking for someone else to do all our thinking for us, but it would be nice not to always have to reinvent the wheel, so to speak.
On a side note, it would be nice if more customers were made aware of this forum! It was just mentioned to me last week at a support meeting, but I had already found it on my own. I suspect many, if not most, customers have no idea it even exists. Such a forum has the potential to be extremely effective, if participation grows. Just my humble opinion.
Again, thanks for taking the time to respond, greatly appreciated!
Great to hear you think all customers should be made aware of this forum! Now that we are reaching critical mass, the content value is steadily increasing.
We began heavily marketing it in March, started up a contest last month, mention it in the quarterly newsletters, promote it on the main enVision page of SCOL, and Paul just mentioned it in last Friday's SIEM blog post. We've also been promoting it heavily internally to sales, support and professional services so that they can continue to tell customers. Lastly, we just initiated monthly customer mailings with Intelligence Community highlights.
I am trying to get it added into the documentation for the enVision 4.0 release at the end of this year.
Do you have any other thoughts for how to communicate it better?
I suppose part of the problem on my end is that I do not receive any of the mailings. Most likely because I am not the "customer" of record (That would be someone in management above me...and it does not trickle down). It sounds like you are trying to cover all the bases; the only other thing I could think of would be sending it out to all SCOL subscribers, who are much more likely to be the actual enVision users, rather than the "customers" who would be the managers. Make sense?
Now that I know about it, I will get my whole team on here and try to use it as much as possible!