When it comes to protected information security under PCI DSS, consistent purview over log data is the guidance. But it’s known that this objective is not as easy as it sounds. Organizations managing PCI data are supposed to review log data and periodically schedule an assessment to be completed by an outside party. However with today’s economy, and so much being asked of IT staff, I wonder if periodic review of sensitive data risk controls to comply with PCI DSS is adequate.
Continue Reading >>>
Daily review of log data is not easily accomplished. Engineers have operational awareness, administration and troubleshooting tasks that take precedence, hence these daily reviews regularly are skipped in favor of more pressing tasks.A well-known Windows consultant and security expert once told me that the first thing an attacker attempts to do is turn off the logs to cover their tracks. This makes sense, right?Of course without reliable daily reviews nor log data from within the threat window, it’s hard to imagine that the sensitive data protected by PCI controls is safe at all given the real world human behavior.Furthermore, the quarterly PCI assessment is expensive, time consuming and likely quite ineffectual for protecting “always on” data access. It was a step in the right direction to perform periodic PCI assessments, but in the real world we know that so much happens between periodic assessments that affects information security. Administrative identity and access management changes occur daily. Perimeter network security is constantly under pressure to turn back attackers. There is always the threat of insider attack as well.
The evolution of PCI data security controls should include:
Security pros agree that sensitive data would be much better protected. The only question is: Can the business case be put together to convince management to vastly improve information security to protect data under PCI DSS control?