Ensure the proper date and time entries are logged.

UCF ID: 01336

Control Type: Configuration

Status: Live

Supporting and supported controls

This control directly supports:

Implement a traceability standard. [UCF Control ID 00640]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj M.7; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-602.a; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AU-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-8, AU-8.2; ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 8.2, § C.3; Australian Government ICT Security Manual (ACSI 33), § 3.7.16; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECAR-1

Banking and Finance Guidance

[Exam Tier II Obj M.7, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

The audit trail must record the date and time the event took place. [§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Have you examined the Audit records to ensure that they contain the date and time of each event? [ECAR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

The organization must use internal system clocks to generate time stamps for audit records. [App F § AU-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

The system configuration should be examined to ensure time stamps are being used when audit records are generated. Organizational records and documents should be examined to ensure specific responsibilities and actions have been defined for the implementation of the timestamp control. Any problems discovered during the implementation of the timestamp control should be documented and used to improve the controls.
Test the system by generating auditable events at a known time and then check the audit trail to ensure the time stamps are functioning correctly.
Interviews should be conducted with personnel who configure the auditing time stamps and with personnel who are involved in the auditing process. [AU-8, AU-8.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Each audit record should contain the date and time of the event. [§ 8.2, § C.3, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

Asia and Pacific Rim Guidance

The audit log should record the date and time for each event that is recorded. [§ 3.7.16, Australian Government ICT Security Manual (ACSI 33)]