May 11, 2007
File Integrity Monitoring and PCI DSS 1.1
I made an interesting observation today that seems to have gone under the radar regarding
file integrity montiring and the Data Security Standards. There is a change to requirement
11.5.
In DSS 1.0 ther requrement for file integrity solutions was such that critical file
comparisions had to be done “daily”.
In DSS 1.1 this was changed to “weekly”
This makes more sense as it has always been a sticking point when it came to real
world practicality. In essence it allows merchants and service providersto have
a scheduled process that can accomodate alot of more network centric solutions in
the marketplace that rely on scheduling rather than an automated agent driven solution
like Tripwire. Agents are tough to deploy in large distributed environments and tend
to have a lot higher TCO (total cost of ownership). I assume this change was made
since many PCI assessments had to compensate for their lack of daily file integrity
reviews.