Back

Configure the time server in accordance with organizational standards.


CONTROL ID
06426
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the time server to synchronize with specifically designated hosts., CC ID: 06427
  • Restrict access to time server configuration to personnel with a business need., CC ID: 06858
  • Keep current the time synchronization technology., CC ID: 12548


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Securing the virtualization platform - Privileged partition operating system hardening – (i) Limit VM resource use: set limits on the use of resources (e.g., processors, memory, disk space, virtual network interfaces) by each VM so that no one VM can monopolize resources on a system. (ii) Ensure t… (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The system must have a defined time zone and date standard, since systems may span several time zones. (¶ 21.8 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • One or more designated time servers are in use. (10.6.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Time synchronization settings and data are protected as follows: (10.6.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine system configuration settings for acquiring, distributing, and storing the correct time to verify the settings are configured in accordance with all elements specified in this requirement. (10.6.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? (PCI DSS Question 10.4.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? (PCI DSS Question 10.4.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • One or more designated time servers are in use. (10.6.2 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Time synchronization settings and data are protected as follows: (10.6.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Time synchronization settings and data are protected as follows: (10.6.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • One or more designated time servers are in use. (10.6.2 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • One or more designated time servers are in use. (10.6.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Time synchronization settings and data are protected as follows: (10.6.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • One or more designated time servers are in use. (10.6.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Time synchronization settings and data are protected as follows: (10.6.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)