PCI DSS 12.10.5: Include Security Monitoring Alerts in Your Incident Response Plan
Your incident response plan is only as effective as the alerts that trigger it. PCI DSS 12.10.5 requires organizations to formally document how they'll detect and respond to security events from intrusion-detection systems, web application firewalls, and file-integrity monitoring tools. Without this integration, critical security incidents may go unnoticed or unaddressed.
What this means
This control mandates that your incident response plan must explicitly include procedures for monitoring and acting on alerts from three key detection systems: intrusion-detection systems (IDS) that identify unauthorized network access attempts, Web Application Firewalls (WAF) that block malicious web traffic, and file-integrity monitoring (FIM) systems that detect unauthorized changes to critical files. Your plan must define who receives these alerts, how quickly they must respond, and what actions to take when each type of alert is triggered.
How to comply
- 1.Document all detection systems in use (IDS, WAF, FIM) and their alert capabilities in your IR plan
- 2.Define clear alert severity levels and corresponding response timeframes for each system type
- 3.Assign specific roles and responsibilities for monitoring and responding to alerts from each source
- 4.Establish escalation procedures when alerts indicate potential security incidents
- 5.Create playbooks for common alert scenarios from IDS, WAF, and FIM systems
- 6.Configure alert routing to ensure the right team members receive notifications immediately
- 7.Test alert detection and response procedures at least annually through IR drills
Evidence auditors look for
- Incident response plan that lists all monitoring systems with alert descriptions
- Alert routing and notification matrix showing which teams receive which alert types
- Documented response procedures for IDS alerts (e.g., for port scans, DDoS attempts)
- WAF alert handling procedures addressing blocked malicious requests
- FIM alert response steps for detecting unauthorized file modifications
- Incident response drill records demonstrating alert handling in practice
- Configuration screenshots showing alert thresholds and escalation rules
- Logs proving alerts were received, reviewed, and acted upon within defined timeframes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically centralizes IDS, WAF, and FIM alerts into a single incident response dashboard with pre-built alert routing rules and response templates, eliminating manual alert management and ensuring your IR plan stays synchronized with your actual monitoring stack.
See how GRCWatch handles this control automatically
Start free trial