PCI DSS 4.0.1
Browse PCI DSS 4.0.1
10.1 10.2 10.3 10.4 10.5 10.6 10.7
10.5: 1. Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
  • Examine documentation to verify that the following is defined:
  • • Audit log retention policies.
  • • Procedures for retaining audit log history for at least 12 months, with at least the most recent three months immediately available online.
  • Examine configurations of audit log history, interview personnel and examine audit logs to verify that audit logs history is retained for at least 12 months.
  • Interview personnel and observe processes to verify that at least the most recent three months’ audit log history is immediately available for analysis.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Retaining historical audit logs for at least 12 months is necessary because compromises often go unnoticed for significant lengths of time. Having centrally stored log history allows investigators to better determine the length of time a potential breach was occurring, and the possible system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.

Examples

Methods that allow logs to be immediately available include storing logs online, archiving logs, or restoring logs quickly from backups.