INF-014 Clock Synchronisation
Description
All production systems synchronise their clocks from approved, authoritative time sources (e.g., NTP servers). Clock drift is monitored and corrected. Accurate timestamps are critical for log correlation, audit trails, and incident investigations.
Rationale
Skewed clocks break log correlation across distributed systems, making incident investigation and compliance evidence unreliable.
Framework Mappings (4)
| LOG-06 | Clock Synchronization | full |
| 8.17 | Clock synchronization | full |
| AU-8 | Time Stamps | partial |
| SC-45 | System Time Synchronization | full |
Evidence (2)
NTP configuration for all production systems showing synchronisation to approved, authoritative time sources with drift monitoring enabled.
Example: AWS CloudFormation or Terraform configuration showing NTP settings for EC2 instances (e.g., Amazon Time Sync Service), or equivalent time synchronisation configuration export for the production environment
Test: Query the NTP configuration across a representative sample of production systems. Verify: (1) all systems reference an approved NTP source (e.g., Amazon Time Sync, Google Time Servers, or equivalent); (2) no systems use ad-hoc or unapproved time sources; (3) clock drift monitoring is enabled and alerts are configured; (4) run `chronyc tracking` or equivalent on a sample of hosts and confirm offset is within the defined acceptable range.
NTP synchronisation logs or monitoring alerts confirming clock drift is detected and corrected across production systems.
Example: CloudWatch metric or equivalent monitoring alert history showing NTP drift metric values for production instances over the last 30 days, with any out-of-threshold events and their resolution
Test: Query the monitoring platform for NTP drift metrics over the last 30 days. Verify: (1) drift metrics are being collected from all in-scope production systems; (2) any drift exceeding the defined threshold generated an alert; (3) alerts were actioned within the defined response window.
Questions (2)
Do all production systems synchronise their clocks from approved, authoritative NTP sources, with clock drift monitored and corrected?
Cloud-native environments should use the cloud provider's time sync service (e.g. Amazon Time Sync Service, Google Time Servers). Drift monitoring should alert on offsets exceeding a defined threshold.
How is NTP synchronisation and clock drift monitored across production systems?
Automated drift monitoring with alerts is expected for environments where log correlation accuracy is required for compliance or incident response. Cloud provider defaults alone are insufficient.