Accurate Time Stamps

By

Apr 18th, 2015


The objective of PMC1 is to provide a means to ensure that accounting and auditing logs record accurate time stamps.

Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.

The GPG13 standard includes twelve Protective Monitoring Controls. The below section explains what requirements must be met to meet your obligations for Protective Monitoring Control number one.

Depending on the Impact Level of the organisations data that you are trying to protect you will have one of four recording profiles.


The required Recording Profiles for each Impact Level Data is described below:

Impact Level 1 Data – Recording Profile Aware

Impact Level 2 Data – Recording Profile Deter

Impact Level 3 Data – Recording Profile Deter

Impact Level 4 Data – Recording Profile Detect and Resist

Impact Level 5 Data – Recording Profile Defend

Impact Level 6 Data – Recording Profile Defend

Below is a summary of your obligations under each recording profile:

Aware

Ensure all accounting and audit logs include a time stamp

Any Alerts generated should also be timestamped and should reference the original audit log

Deter

Ensure you meet the requirements of lower recording profiles

Digitally sign the time stamp as a minimum

Hash the log file that stores the collected audit log

Detect and Resist

Ensure you meet the requirements of lower recording profiles

Hash the transaction and digitally sign, plus retain a copy of the audit log

Defend

Ensure you meet the requirements of lower recording profiles

Technology Required

NTP Server

Most Operating Systems have built-in time server capabilities, so you should not need to purchase separate software, although it is important that these NTP servers are synced with an external Atomic clock.

Log Management Software

The Log Management Software should be able to digitally sign the logs. At the higher marked data levels it would also be recommended to support encryption and or a hashing function.

Important to ensure that the Log Management layer does NOT rely on Relational Databases, unless you are collecting logs from a very limited number of devices, as these types of systems will not scale in the majority of environments.

While Appliance based solutions have the advantage of being quick to install, they require specialist knowledge to maintain and support. Often it would be better to obtain software that will run on your current server technology, that can be easily scaled and more importantly, easily supported within the existing support structure.

Configuration Checking Software

Often the servers or network devices will set their time on start-up, and may or may not generate an audit log. If you only restart every ninety days or your device does not generate an audit log, then Configuration Checking Software will allow you to validate that your devices and Servers are configured with the correct NTP settings.

Notes:

It is expected that you have a master time server that all clocks are synchronised with. You should check that the systems are using this time server, at least weekly.

There is a requirement to have a tool that allows you to “Check System Status” as part of PMC4, it would therefore make sense that this tool could verify that your systems are configured with the correct times server settings, otherwise this will be a manual task.

Leave a Reply

You must be Logged in to post comment.

 






© 2006-2017 Protective Monitoring – GPG13.