Payment Card Industry (PCI) Solution

10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

Check Point management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. All Check Point products can log and report user access across Check Point gateways as well as log and report administrator changes on Check Point systems. Organizations can view this data in  SmartViewTracker and in reports from Eventia Reporter.

10.2 Implement automated audit trails to reconstruct the following events:

all individual user accesses to cardholder data, all actions taken by any individual with root or administrative privileges, access to all audit trails, invalid logical access attempts, use of identification and authentication mechanisms, initialization of the audit logs, and creation and deletion of system-level objects.

Check Point's SmartCenter and Eventia Suite — Eventia Reporter and Eventia Analyzer — centralize logging, updates, monitoring, and reporting of system events and activity, enabling enterprises to gain a holistic picture of their security and network activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis, and response.

The Eventia Suite collects, audits, correlates, and reports on logs and event activity across all Check Point products and across a diverse range of third-party products. Eventia Reporter gathers information to report on cross-product attacks, blocked traffic, login activity, and network activity. Eventia Reporter endpoint security reports include centralized reporting of Check Point Endpoint Security data on compliance violations, firewall events, blocked programs, Check Point Endpoint Security MailSafe events, spyware, Malicious Code Protector outcomes, and client errors. Eventia Reporter also provides reports on antivirus activity, Connectra, InterSpect, and VPN-1 Power VSX log reports.

The Eventia Suite enables enterprises to build audit trails of user access to cardholder data, administrator actions, invalid logical access attempts, and much more. Eventia Analyzer supports the initialization of audit logs, secure access to audit information, and allows for creation and deletion of system-level objects. In addition, Eventia Analyzer provides alerts when the audit logs are initialized and when system objects are created and deleted.

Check Point user authentication and logging features allow customers to implement audit trails to reconstruct and analyze system events.

10.3 Record at least the following audit trail entries for all system components for each event: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component, or resource.

All Check Point solutions can provide detailed logging and tracking of user and administrator activity of traffic passing through Check Point gateways. This includes information identifying sources/destinations and address/services, users when they are authenticated, time and date information, action, associated Check Point solution, and additional information that meets and exceeds the requirements of this section. Organizations can view this data in SmartViewTracker and in reports from Eventia Reporter. Eventia Reporter can record additional information if logged. It can be extended for log formats not available out of the box.

10.4 Synchronize all critical system clocks and times.

Check Point solutions can be synchronized using standard synchronization protocols such as network time protocol (NTP) to synchronize system clocks and times across all systems.

10.5 Secure audit trails so they cannot be altered.

The security of audit trails is the same as in all Check Point products, allowing the following: encrypted traffic to the log server, distributed log collection, visual forensic data retrieval, log rotation and archiving tools and policies, integration with Eventia Analyzer for event correlation and detection, integration with Eventia Reporter for trend analysis and report generation, LEA/ELA support for OPSEC partner third-party tools, LEA/ELA support for customer developed tools with the freely available OPSEC SDK.

Administrators have to log in to view the audit trail. Check Point also supports delegated administration so enterprises can specifically state within administrator profiles if they have read/write permissions for logs and audit trails.

Eventia Reporter provides the ability to generate offline logs so that they are difficult to access and alter.

Check Point VARs, SIs, and business partners can provide consulting services to help ensure the proper configuration of Check Point logging as well as strategies to protect the integrity of stored log data.

10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Section 10.6 addresses required processes for log review that can be assisted by Check Point's logging system. Eventia Suite allows   administrators to regularly review logs from a comprehensive set of system components, including all Check Point devices and other prominent third-party products. Enterprise administrators can review logs at the frequency set by their security practices. Eventia Analyzer's centralized management console makes log and event correlation and analysis practical. Unified review, analysis, and reporting allow enterprises to gain a holistic picture of their security and network activity trends.

10.7 Retain audit trail for at least one year, with a minimum of three months available online.

Audit trails collected by Check Point management solutions can be easily and automatically exported and then retained for as long as desired by enterprises. Enterprises can use Eventia Reporter to maintain offline logs. Log files can be maintained in the original format and reloaded into Eventia Reporter when needed.

Check Point VARs, SIs, and business partners can provide consulting services to help develop proper data retention procedures that will include audit trails generated by Check Point solutions.