PCI DSS Requirement 10.5.5 states that entities must restrict access to audit logs to those with a job-related need1. This is to prevent unauthorized or malicious users from tampering with or deleting the audit logs, which could compromise the integrity andavailability of the logs and hinder the detection and investigation of security incidents. Audit logs contain sensitive and confidential information, such as cardholder data, user identities, system activities, and security events, and therefore must be protected from unauthorized viewing, modification, or deletion2. Individuals with a job-related need are those who have a legitimate and documented business reason to access the audit logs, such as system administrators, security personnel, auditors, or investigators3. Therefore, the correct answer is option D.
The other options are not true regarding the access control for audit log files. Option A is not true because individuals who performed the logged activity may not have a job-related need to view the audit logs, and may have a conflict of interest or malicious intent to alter or erase the logs. Option B is not true because individuals with read/write access may not have a job-related need to access the audit logs, and may pose a risk of unauthorized or accidental modification or deletion of the logs. Option C is not true because individuals with administrator privileges may not have a job-related need to access the audit logs, and may abuse their privileges or be targeted by attackers to compromise the logs. References:
PCI DSS v3.2.1
Effective Daily Log Monitoring - PCI Security Standards Council
Logging for PCI DSS Compliance - Tueoris
Submit