PCI Requirement 10.4.1 requires that critical systems have the correct and consistent time so that chronological events can be recreated. Without proper and consistent synchronization, it’s almost impossible to compare logs to systems and determine an exact sequence of events. Compliance with PCI Requirement 10.4.1 is crucial during incident response.
There are several testing procedures to verify compliance with PCI Requirement 10.4.1. The PCI DSS states that assessors should observe the process for acquiring, distributing, and storing the correct time within an organization and observe the time-related system-parameter settings for a sample of system components to verify that:
- Only the designated central time servers receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
- Where there is more than one designated time server, the time servers work with one another to keep accurate time.
- Systems receive time information only from designated central time servers.
An assessor will follow these testing procedures and observe time management systems to ensure that critical systems have the correct and consistent time.
From a forensics perspective, if we try to recreate chronological events of what occurred, and all of these systems are on separate time syncs, it gets very difficult to identify what occurred. For PCI Requirement 10.4.1, there are several testing requirements that we look for around managing the NTP, or the time management of your systems, to ensure that all of these critical systems are on the same time sync. This would be everything from having configuration standards that define how to go about configuring NTP, using designated time servers for the NTP service, and protecting the time authentication processes. From an assessment perspective, we’re going to be asking for that data. We’re going to be pulling the time configuration off of your firewalls, routers, domain controllers, and member servers. We’re going to look to make sure that whatever you’re doing from an organizational perspective, you’ve documented in your standards is actually how you have NTP managed and implemented within the environment.