Financial services, and related industries are regulated by laws, acts, standards and best practices such as Sarbanes Oxley, Payment Card Industry Data Security Standard (VISA CISP and others), OATS, FFIEC and Gramm-Leach Bliley, mandate that data and records be secure and accurate. Auditing systems need to varify that the time a transaction was made is accurate and authentic. By providing accurate time-stamps and audit trail support, greater regulatory compliance can be gained.

Specific requirements are shown below. If you know of additional standards related to financial services, contact Tim Klimasewski.

Examples of Time Synchronization Standards and Best Practices in Financial Services

• NTP is used for time synchronization.Two or three central time servers within the organization receive external time signals (directly from GPS satellites - based on International Atomic Time and UTC (formerly GMT)), peer with each other to keep accurate time, and share the time with other internal servers (i.e., internal servers should not be all be receiving time signals from external sources).
• NTP is running the most recent version.
• Specific external hosts are designated from which the time servers will accept NTP time updates (to prevent an attacker from changing the clock). Updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the NTP service (to prevent unauthorized use of internal time servers).

Visa CISP Payment Card Industry Security Standard Data Sheet

Payment Card Industry: Security Audit Procedures

• Requires member firms that record order, transaction, or related data required by the By-Laws or other rules of NASD to synchronize all business clocks, including both computer system clocks and mechanical time stamping devices, that are used to record the date and time of any market event. In addition, the rule requires that member firms maintain the synchronization of such business clocks.
• All computer system clocks and mechanical time stamping devices must be synchronized to within three seconds of the National Institute of Standards and Technology (NIST) atomic clock.