GRCWatch
Sign inStart free trial

PCI DSS 12.10.5: Include Security Monitoring Alerts in Your Incident Response Plan

Your incident response plan is only as effective as the alerts that trigger it. PCI DSS 12.10.5 requires organizations to formally document how they'll detect and respond to security events from intrusion-detection systems, web application firewalls, and file-integrity monitoring tools. Without this integration, critical security incidents may go unnoticed or unaddressed.

What this means

This control mandates that your incident response plan must explicitly include procedures for monitoring and acting on alerts from three key detection systems: intrusion-detection systems (IDS) that identify unauthorized network access attempts, Web Application Firewalls (WAF) that block malicious web traffic, and file-integrity monitoring (FIM) systems that detect unauthorized changes to critical files. Your plan must define who receives these alerts, how quickly they must respond, and what actions to take when each type of alert is triggered.

How to comply

  1. 1.Document all detection systems in use (IDS, WAF, FIM) and their alert capabilities in your IR plan
  2. 2.Define clear alert severity levels and corresponding response timeframes for each system type
  3. 3.Assign specific roles and responsibilities for monitoring and responding to alerts from each source
  4. 4.Establish escalation procedures when alerts indicate potential security incidents
  5. 5.Create playbooks for common alert scenarios from IDS, WAF, and FIM systems
  6. 6.Configure alert routing to ensure the right team members receive notifications immediately
  7. 7.Test alert detection and response procedures at least annually through IR drills

Evidence auditors look for

  • Incident response plan that lists all monitoring systems with alert descriptions
  • Alert routing and notification matrix showing which teams receive which alert types
  • Documented response procedures for IDS alerts (e.g., for port scans, DDoS attempts)
  • WAF alert handling procedures addressing blocked malicious requests
  • FIM alert response steps for detecting unauthorized file modifications
  • Incident response drill records demonstrating alert handling in practice
  • Configuration screenshots showing alert thresholds and escalation rules
  • Logs proving alerts were received, reviewed, and acted upon within defined timeframes

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically centralizes IDS, WAF, and FIM alerts into a single incident response dashboard with pre-built alert routing rules and response templates, eliminating manual alert management and ensuring your IR plan stays synchronized with your actual monitoring stack.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.10.1 — Incident Response Plan CreationPCI DSS 12.10.2 — IR Plan Roles and ResponsibilitiesPCI DSS 12.10.4 — IR Plan DocumentationPCI DSS 6.2 — Secure Development and Change ManagementPCI DSS 11.4 — Intrusion Detection and Prevention Systems