10.6.3 Time synchronization settings and data are protected as follows:
Defined Approach Requirements
10.6.3 Time synchronization settings and data are protected as follows:
- Access to time data is restricted to only personnel with a business need.
- Any changes to time settings on critical systems are logged, monitored, and reviewed.
Customized Approach Objective
System time settings cannot be modified by unauthorized personnel.
Applicability Notes
Defined Approach Testing Procedures
10.6.3.a Examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need.
10.6.3.b Examine system configurations and time synchronization settings and logs and observe processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.
Purpose
Attackers will try to change time configurations to hide their activity. Therefore, restricting the ability to change or modify time synchronization configurations or the system time to administrators will lessen the probability of an attacker successfully changing time configurations.
Good Practice
purpose
Respond to audit log alerts promptly.
compliance strategies
- Incident response integration
- Escalation workflow
typical policies
- Incident Response Policy
common pitfalls
- Delayed responses
- No tracking of alert resolution
type
Process Control
difficulty
Moderate
key risks
- Prolonged breaches
recommendations
- Automate escalation and resolution tracking
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy