Clock Synchronization Procedure Reference No. xx Revision No. 1 Relevant ISO Control No. 10.10.6 Issue Date: June 19, 2013 Revision Date: June 19, 2013 Approved by: Title: Ted Harvey Director, Technology Services Version History Version # Version Date Author Summary of Changes 1.0 Jan 22 2012 Ted Harvey Approvals Name Title Date of Approval Version # Ray Hoppins Distribution Name Title Date of Issue Version No. Document Control Document Title Document Location Server Malware Protection http://xxx.chinooksedge.ab.ca/ Clock Synchronization Procedure Page 1
Clock Synchronization Procedure Page 2
Table of Contents 1.0 Overview...4 2.0 Purpose...4 3.0 Scope...5 4.0 Risks...6 The risks associated with the Procedure subject... Error! Bookmark not defined. 5.0 Procedure Detail...7 Detailed Procedure statements... Error! Bookmark not defined. More Content... Error! Bookmark not defined. Procedure Detail Sub Heading... Error! Bookmark not defined. More Content... Error! Bookmark not defined. 6.0 Enforcement...8 If any member of IT staff is found to have breached this Procedure, they may be subject to disciplinary action.... Error! Bookmark not defined. If any user is found to have breached this security Procedure, they may be subject to disciplinary action.... Error! Bookmark not defined. Any violation of the Procedure by a temporary worker, contractor or supplier may result in the termination of their contract or assignment... Error! Bookmark not defined. 7.0 Procedure Governance...9 8.0 Definitions...11 Detail any necessary definitions... Error! Bookmark not defined. More Content... Error! Bookmark not defined. 9.0 References...12 List any reference material used... Error! Bookmark not defined. More Content... Error! Bookmark not defined. Clock Synchronization Procedure Page 3
1.0 Overview The clocks of all relevant processing systems within the division shall be synchronized with an agreed accurate time source(s). 2.0 Purpose N e t w o r k a u t h e n t i c a t i o n p r o t o c o l s, t e l e p h o n e s y ste m s an d a ctivity a u dits rely o n a c c ur ate ti m e t o c orrelate s e c u r i t y e v e n t s a n d l o g s a c r o s s s y s t e m s. A l l s y s t e m c l o c k s s h o u l d b e a ut o m atically s y n c hr o nize d with a n a c c urate ti m e s o ur c e. Deter mi ni n g the ti m e e v e nt s to o k plac e is of para m o u nt i m p o r t a n c e f o r t h e p r o p e r l o g g i n g o f a u d i t t r a i l s, i n c i d e n t h a n d l i n g, s c h o o l b ells, vi d e o s ur v eillan c e, etc. Clock Synchronization Procedure Page 4
3.0 Scope This procedure encompasses any device that: 1. Creates activity, incident or authentications logs. 2. Timestamps digital records, e.g. records management software, email, video recordings. 3. Relies on time synchronization. 4. Uses time activation to initiate tasks, programs, etc. This includes, but is not limited to, printers, photocopiers, computers, switches and Servers. Clock Synchronization Procedure Page 5
4.0 Risks Inaccurate timestamps may reduce the originations ability to perform accurate auditing of incidents. Systems may initiate actions at the wrong time creating undesirable effects. The Integrity and/or Availability of data may be reduced. Clock Synchronization Procedure Page 6
5.0 Procedure Detail 1. The Division should include at least two synchronized time sources to retrieve time from on a regular basis, so time stamps are consistent, 2. Public Key and certification servers will use the division time ources to ensure Certification Authority uses accurate time stamps. 3. Internal clocks on systems should also be synchronized to match the operating system time. 4. Ensure that each system s clock is synched to a common time source, so that the timestamps will match those of other systems. Clock Synchronization Procedure Page 7
6.0 Enforcement Systems will be routinely checked by the Data owner at leat twice and year and confirmation logged in the site level documentation. Clock Synchronization Procedure Page 8
7.0 Procedure Governance The following table identifies who within CESD is Accountable, Responsible, Informed or Consulted with regards to this Procedure. The following definitions apply: Responsible the person(s) responsible for developing and implementing the Procedure. Accountable the person who has ultimate accountability and authority for the Procedure. Consulted the person(s) or groups to be consulted prior to final Procedure implementation or amendment. Informed the person(s) or groups to be informed after Procedure implementation or amendment. Responsible Core Team - Technology Services Accountable Director Technology Services Consulted Technology Committee, Informed All Technology Department Employees, All Contractors. Clock Synchronization Procedure Page 9
Clock Synchronization Procedure Page 10
8.0 Definitions TERM DEFINITION Clock Synchronization Procedure Page 11
9.0 References 10.10.6, ISO/IEC 27002 Code of practice for information security management, 2005 Kaon Security ISO 27002:2007 Audit Standard http://www.kaonsecurity.co.nz/tfcc_demo/nzs27002.html Unified Compliance (2005-12). Synchronize clocks to an accurate and universal time source. UCF ID 01340 http://www.unifiedcompliance.com/matrices/live/01340.html Clock Synchronization Procedure Page 12