Control 8.17 : Clock Synchronization

Summary

The clocks of all relevant information processing systems within an organization or security domain should be synchronized to a single reference time source. Accurate time-stamping is vital for incident investigation, log correlation, and legal evidence.

Applicability

In-Scope: Mandatory for maintaining the integrity of the digital paper trail. It ensures that logs from different systems (e.g., a firewall and a server) can be accurately reconstructed during a forensic investigation.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Reference Source: Configure all Azure resources and on-premises domain controllers to synchronize with a reliable Network Time Protocol (NTP) source, such as time.windows.com.

• Managed Devices: Use Microsoft Intune to ensure that all managed endpoint devices are configured to automatically synchronize their time with the regional time servers.

• Monitoring: Utilize Azure Monitor to identify and alert on any systems where the clock drift exceeds a specific threshold (e.g., 5 seconds).

Evidence Checklist

• Clock Sync Policy: Documented standard for the organization's primary reference time source and synchronization intervals.

• Configuration Screenshots: Evidence from server settings or Intune profiles showing the NTP server configuration.

• Log Integrity Sample: A snapshot of logs from multiple systems showing identical time-stamps for the same event (e.g., a multi-system login).

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the organization's primary authoritative time source, and how is its reliability verified?

• How do you identify and remediate systems that have fallen out of sync with the reference clock?

• If the primary time source becomes unavailable, is there a secondary or backup NTP source configured?

• How do you ensure that time-stamping remains accurate for mobile users working across different time zones?