Why Your Compliance Officer Cares About Accurate Time Stamps

Posted on February 8, 2012 by rwatt

If companies wish to prove they comply with laws governing the handling of information, they must prove they can show when something happened, not simply that it happened — such as when someone accessed a file, created a document, sent an email or logged onto a system. That’s why laws like the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), FINRA’s Order Audit Trail System (OATS), the FDA’s Code of Federal Regulations (CFR), and the Payment Card Industry – Data Security Standards (PCI-DSS) are rife with regulations concerning the accuracy and trustworthiness of time stamps.

Sarbanes-Oxley requires public companies to assess the accuracy and reliability of systems in order to show who accessed what system logs, when and for how long. HIPPA protects patient privacy in part by regulating how hospitals, medical practices and payers use time stamps to control and audit system access. OATS requires that the time stamps on specific data elements related to the handling or execution of orders be within one second of the National Institute of Standards and Technology (NIST) atomic clock. CFR-21, Part 11 requires pharmaceutical manufacturers to employ procedures and controls to ensure the authenticity, integrity and confidentiality of electronic records. Those include measures to ensure the accuracy of computer generated time stamps.

Timekeeping and Credit Card Security
The most far-reaching regulation, however, may be PCI-DSS in that it impacts every merchant that signs an agreement to accept credit or debit cards. PCI-DSS is the creation of the Payment Card Industry Security Standards Council, an organization made up of payment card providers that sets the industry’s security requirements. As of December 31, 2007, all merchants as well as credit and debit card payment processors must adhere to PCI Data Security Standards or face substantial fees, fines, and penalties. The amounts are very high and can be especially damaging for smaller merchants.

Requirement 10 — which mandates how companies should “track and monitor all access to network resources and cardholder data” — requires that whenever cardholder data or a system object is accessed that there is an audit trail for each such event that includes:

  • User ID
  • Event type
  • Date and time
  • Success or failure
  • Origination of the event
  • Identity or name of affect data, system component or resource

Requirement 10 also mandates specific steps companies must take to ensure time stamp accuracy — for example, that the network time server is running the most recent version of NTP and that links to external NTP services are protected from hacker exploit.

The common thread that runs through all these regulations is that it’s much harder to create a compliant environment — regardless of industry — without a modern, secure timekeeping infrastructure on which to build.

If your network falls under any of these compliance requirements, consider adding a Symmetricom SyncServer® to precisely time your network infrastructure. Learn more about how network time servers enable compliant timekeeping infrastructures.

This post was published in Symmetricom’s ThinkSync newsletter, January 2012.
For more information, see our NTP Servers page.

Posted in Synchronization | Tagged , , , , | Leave a comment

Samoa moves to the other side of the world – and misses a day!

Posted on December 30, 2011 by rwatt

by Paul Ducklin, Sophos’s Head of Technology, Asia Pacific.
This post appeared on the Naked Security Blog, December 30, 2011.

Regular readers of Naked Security will know that I have some strong feelings about timestamps in logfiles.

In particular, the ambiguities created by logfiles based on local time – which is subject to local timezone regulations and changes – can work against your security interests.

Here’s one reason why:

"..Don't let year-ends, timezones, daylight saving changes or varying local conventions confuse your logs. If you suffer a breach, you will almost certainly want to put together an irrefutable historical sequence of events, based on your system logs, possibly from many systems and many locations.."

Local time can confuse even local residents, let alone outsiders trying to make sense of unqualified timestamps in logfiles some time after the event. Continue reading

Posted in Synchronization | Tagged , , | Leave a comment

Syncing the Cloud

Posted on December 8, 2011 by rwatt

Wikipedia defines cloud computing as “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).” And just as with the Internet, electric utilities, and telecommunications networks, precise timing is a key success factor in cloud computing.

Think about it. Cloud computing is based on the idea of multiple users accessing shared computing resources (servers, applications, storage, networks, etc.) without needing to know where these resources are physically located or even how much of a resource there is. Just like in the electric grid; as demand grows, more capacity comes online without users needing to request it. Theoretically, there could be an unlimited number of machines and software instances interoperating with each other, sharing data and computational tasks dynamically across wide geographic areas. Imagine what could happen if all these players aren’t kept precisely and reliably in sync. Continue reading

Posted in Synchronization | Tagged , , , , | Leave a comment

Timekeeping Key To Payment Card Security Standards

Posted on August 15, 2011 by rwatt

Reports of stolen credit and debit card information have been much in the news recently — stolen either from individuals or from companies such as merchants and payment processors. Less publicized perhaps are steps the industry is taking to protect cardholder information.

One such step is development of standards, most notably the Payment Card Industry (PCI) Data Security Standard (DSS). Continue reading

Posted in Synchronization | Tagged , , , , | Leave a comment

Recent Failures Expose Internet Timing Risks

Posted on July 14, 2011 by rwatt

Enterprises that rely on “Internet time” to synchronize their networks may wish to rethink that strategy in light of what happened recently at some of the most widely used Internet time servers. On May 24th several of them began to report time inaccurately by as much as 680 seconds. Making matters worse, full service was not restored until three days later.

Here’s the lesson: if it can happen to trusted Internet time providers, it can happen anywhere — putting all organizations that rely on an Internet time source at risk. Continue reading

Posted in Synchronization | Tagged , , , , , , | Leave a comment

SynCan 2011 Highlights

Posted on May 31, 2011 by rwatt

SynCan 2011SynCan 2011 was the 9th edition of our annual Canadian Synchronization Users Meeting, hosted by Symmetricom and Empowered Networks. This year’s event was held in beautiful Niagara-on-the-Lake, Ontario, at Queen’s Landing, on May 25th and 26th.

A warm thank you to all who invested their valuable time to join us, and make our 9th annual SynCan event the great success that it was.

NB. To access the session notes and more distributed to attendees, please register here. Continue reading

Posted in Synchronization | Tagged , , , , , | Leave a comment

Solar Flares Threaten to Disrupt GPS Signals

Posted on September 29, 2010 by rwatt

Citing research by Cornell University and others, reports like one earlier this year from the BBC warn of probable GPS signal disruption in 2011-2012. “Sat-nav receivers will be blinded for tens of minutes, or more probably a few times a year at the solar maximum,” the BBC report states.

The problem: an intense period of solar flares that occurs roughly every 11 years, called the solar maximum. Charged particles from flares produce intense bursts of radio noise that peak in the 1.2 and 1.6 gigahertz bands used by GPS. Usually radio noise in GPS bands is very low so receivers can pick up signals from orbiting satellites, even though GPS signals themselves are very weak. Charged particles trapped in the ionosphere can cause additional disruption. The trapped particles create wide fluctuations in the time GPS signals take to traverse the ionosphere, causing significant timing calculation errors. Continue reading

Posted in Synchronization | Tagged , , | Leave a comment

Highlights of SynCan 2010

Posted on June 14, 2010 by admin

SynCan 2010 was held in Toronto, at the Westin Harbour Castle, overlooking Toronto Harbour.  Thanks to all who invested their valuable time to make our 8th annual SynCan another great success.   To access the session notes and information distributed to those who attended, please register here.

Overview
SynCan 2010 was the 8th annual Canadian Users Meeting, hosted by Symmetricom and Empowered Networks.  As in previous years, attendees included key representatives of the telecom, wireless and utility telecom marketplace in Canada.

Highlights
Some highlights from SynCan 2010, and attendee feedback:

  • Empowered’s Glen Emo opened up SynCan with lessons learned from Aloha Flight 243, drawing a parallel between the life expectancy of short-hop aircraft, and the legacy sync gear deployed in networks across Canada, now at or beyond End-of-Life
  • Material progress of standards around Telecom Synchronization, especially the IEEE 1588-2008 standard (aka. Precision Time Protocol or PTP), and Synchronous Ethernet (aka. SyncE)
  • Peter Roberts of Alcatel-Lucent highlighted the importance of PTP and SyncE to equipment manufacturers, and their solutions for Carrier Networks, and Services
  • Legacy Upgrade Programs generated lots of discussion around both the challenges highlighted by Rob Hockin, and the help our team can provide.  Some attendees have programs in place – other recognize the urgent need to get such programs underway.
  • The importance of sync to Power Utilities was an eye-opener for many attendees.  The developing Smart Grid will make sync even more important.
  • Attendees said their key priorities in Sync for 2010 ranged from modernizing existing Sync infrastructure, to testing and deploying PTP solutions.
  • There’s an evident need to concisely explain the importance of Sync to others. We’re presently working on a related initiative, and will share the results on this soon.
  • Attendee feedback strongly reflected that SynCan was an excellent learning opportunity
  • The venue for the group dinner was excellent – The views from the 38th floor, overlooking the islands of Toronto Harbour, the landing path for Island Airport, and as night fell, the Toronto skyline was a highlight.
  • Our sincere thanks to Symmetricom for their generous support of SynCan 2010

Continue reading

Posted in Synchronization | Tagged , , | Leave a comment