Posted by: Pabrai
The Payment Card Industry’s Data Security Standard (PCI DSS) requirements – and there are 12 specific requirements – that impacted organizations must comply with – is one of the most specific standards in the field of information security. Take for example the PCI DSS requirement # 10.7 in the area of “Regularly Monitor and Test Networks”:
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).
This Requirement is supported with the following guidance to comply:
Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted.
By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing back-up tapes off-site may result in longer time frames to restore data, perform analysis, and identify impacted systems or data.
Your organization may be impacted by multiple regulations such as HIPAA, HITECH and State mandates. Researching the specific requirements of PCI DSS could be valuable to you as you try to establish standards in areas such as audit control and information system activity review to address compliance mandates. PCI DSS is fairly specific in several areas in establishing minimal capabilities required for managing cardholder information. There is no reason why the same cannot be applied to other sensitive or confidential information, such as PHI or EPHI, processed by your organization.
So is your organization required to comply with the PCI DSS mandate? Even if it is not, I would highly recommend you read and understand the PCI DSS standard. You will find an invaluable resource that will have a positive impact in the development of your security plans, policies and procedures. I would highly recommend the PCI DSS standard as required reading for all information security professionals and executives.