Do we need to include SIEM hosted in the cloud in CDE scope for PCI DSS requirement..? where no CD or transacation logs are being process or managed

Question

We have our cardholder data environment (CDE) hosted in on-premise model (private datacenter), except SIEM solution is implemented for logging and monitoring in private cloud. where we are forwarding only security logs and not forwarding any logs relating to cardholder data / transaction logs. do we still need to include the cloud hosted SIEM solution in CDE scope for PCI DSS requirement..?

Answer 1

The cardholder data environment (CDE) is limited to the network segments storing, processing, transmitting cardholder data. Your in-scope system components are beyond this CDE as systems providing security or other services are in scope for validation - i.e. authentication, update/patch management, orchestration, anti-virus, logging, FIM.

So this means your SIEM solution needs to be validated. The system should do at least the following:

• Capture the appropriate logs
• Logs should be reviewed daily
• The system should generate alerts
• File Integrity Monitoring should be in place to protect the integrity of the logs
• Log rotation/retention policies should be in place and enforced
• Users of the system should be managed and monitored appropriately
• The system should be maintained up to date

Either you or the cloud service provider must evidence all the above or your cloud service provider can provide evidence to show the above has already been validated - i.e. by providing an Attestation of Compliance for the scope of the service provided.