• Home
• Products
  • SecureNTP - Time Management
  • DirectConnect - Time Delivery
  • Consulting & Auditing
• Solutions
  • Making GPS Provable
  • PCI Compliance
  • OATS Compliance
  • Third Party Assessments
• Support
  • Knowledgebase
    • FAQ's
    • Glossary
  • Bug Tracking
  • CTO's Support Blog
• News
• About
  • Contacts
  • Time Centers
  • Management
  • Privacy

Outsourcing Time

What are the risks? Is my time provider compliant?

Time Setting Is a Critical Process. If time is not set correctly on your systems, they will eventually fail as applications become unable to authenticate users or determine the proper sequence of transactions. If you experience a system breach, it will become a nightmare to reestablish the proper sequence of the activities that lead up to the breach. Financial and transaction records will become difficult to reconcile leading your auditors and regulators to conclude that your control processes are insufficient. Worse, if you submit electronic data as part of litigation or a criminal investigation and your time stamps conflict or cannot be verified, you run the risk that your evidence will not be admissible.

Taking Time for Granted. Despite the importance of time setting processes, most businesses treat time like tap water - they take it straight from the “faucet” with little thought given to its source or accuracy. They obtain their time from the US government (GPS, the Naval Observatory, or the National Institute of Standards and Technology) or from voluntary organizations like pool.ntp.org or any of the other 3,000+ independent time servers on the Internet. Businesses blindly trust that the time they receive is accurate, giving little thought as to the reliability of the provider.

The other problem is that the all too common slipshod approach to time keeping has resulted in inaccurate and inconsistent time stamps on critical systems. For example, virtually all log management vendors refuse to generate reports based on timestamps generated by the customer, since it is a classic case of garbage in/garbage out. If they were to generate these reports, they know the results would be worthless. Also, auditors and regulators have not focused on sloppy time setting practices, primarily because there was (up until now) no efficient and effective solution. But with the advent of services, such as those provided by Certichron, it is likely that time setting practices will receive closer scrutiny.

Outsourcing time. When a business gets time from the US government or pool.ntp.org they have essentially outsourced a critical component of their time setting practices. Assessments of third-party providers are a major component of such laws as SOX, GLBA and the Bank Secrecy Act and such industry standards as the Payment Card Industry Data Security Standard (PCI DSS). As stated in the FFIEC Handbook on Outsourcing Technology Services, “Outsourced relationships should be subject to the same risk management, security, privacy, and other policies that would be expected if the financial institution were conducting the activities in-house.” To achieve that goal, the time provider should be assessed to determine if the service is:

1. Accurate – Obtaining accurate time over the Internet is a complex process, especially due to network delays. Does your vendor have the necessary distributed architecture to minimize network latency issues? Will your time provider provide notification if the time settings on their systems or yours are not accurate?

2. Reliable – Can you identify the specific time server that provides data to your financial institution? Is that time server maintained by a reliable business? Can the time provider’s service be easily corrupted or spoofed?

3. Available – Has the vendor taken sufficient steps to ensure the high availability of its systems, such as multiple, redundant systems and fail-over sites? Will the vendor immediately notify you if their systems are unavailable?

4. Consistent – Can your time provider provide consistent time settings to multiple locations across your business, especially if you operate in multiple states or internationally?

5. Provable – Can you audit or assess your time provider’s controls and processes? Do they comply with FFIEC, FISMA, COBIT and other accepted standards? Are the systems and applications used by your vendor subject to the same development and change control processes that your institution uses?

6. Warranted – Does your time source provide a service level agreement or other type of warranty? If something goes wrong with the time setting process, what is your recourse?

Is your time provider compliant? If you apply these criteria to the most commonly used time providers, you might be surprised to find that Certichron is the only time provider that can meet these requirements:

Certichron maintains 25% of the NIST time server infrastructure in the United States with time centers located in New York, Los Angeles, San Jose, Washington, DC and Chicago. With over 18 million weekly users of our systems, your business may already being using Certichron to set time on your corporate network. Certichron’s time comes from NIST, the legal source for time in the United States. Our systems are designed to assure high availability and security and assure that your time setting needs are supported. Our SecureNTP™ service provides verification, logging and alerts for all your time settings and compliance with such requirements as Section 10.4 of the PCI DSS. We also offer private access, dedicated extranet access to our timing centers for even greater accuracy and security.

Certichron provides secure and auditable time services that allow companies to provably synchronize their desktops and transaction servers with regionally deployed, Federally-traceable time servers (using the Internet or a private extranet). For more information on our services and technologies, please email Certichron with your requirements or contact the sales office directly at 800-511-2301 (9-5 PST). Certichron, Inc. © 2009 Privacy Policy Terms of Use