In a preview of his new webinar, Time: The Hidden Risks -- How to Create Compliant Time Practices, Bill Sewall discusses:
Sewall is an Information security, compliance and risk management specialist with 30 years experience as a corporate attorney and general counsel, CIO, information security officer, and operational risk manager. Most recently, Sewall spent 10 years as a senior executive information security officer in Citigroup, including management of the IS training and awareness program and responsibility for the Citigroup IS Policy and Standards.
In his career, Sewall has managed information security compliance requirements for one of the largest financial services organization in the world, implemented that institution's information security program at the business unit level and developed the information security awareness training program. He currently provides IS risk management and training services through ISRMC, LCC.
TOM FIELD: What do you know about time and what should you know about time? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am here today with Bill Sewall, the Chief operating Officer with Certichron Incorporated, and we are talking about time. Bill, how are you?
BILL SEWALL: I am great Tom. Thanks for having me.
FIELD: Glad to have you here. It's been a while since we spoke, so why don't you bring people up to speed with where you are and what you are doing now.
SEWALL: Well, right now I am working with Certichron as you mentioned. I am the Chief Operating Officer, and we have put together a time service that basically takes the National Institute of Standards and Technology (or NIST) internet time service and turns it into basically a verifiable, provable system. Basically, we work with our customers in a partnership relationship to make sure that we can stand behind their time setting practices.
FIELD: Now Bill, you and I have talked about this privately, but for the audience here, tell us about time and why it is such a critical business issue now.
SEWALL: Well, at a high level if you don't set time correctly, your applications will eventually fail, as the systems are unable to authenticate users or determine the proper order of transactions. For example, if you experience a system breach -- you know, somebody gets into your system and you suspect that they were doing unauthorized activity -- it is just basically going to be a nightmare to establish the correct sequence of activities or conclusively determine who was responsible if you don't have accurate time. Your financial and transaction records will become difficult to reconcile, leading your auditors and regulators to conclude that your overall control processes may be insufficient. Probably the biggest risk is if you submit electronic data as part of litigation and your time stamps conflict or don't support the timeline that you are arguing for, and if you can't verify it, you run the risk that all of your evidence will basically be determined inadmissible because the time is not correct, so therefore the rest of the data comes into question.
So if you don't keep time, it can come back to bite you.
FIELD: You used a key word there, Bill, risks. Where do you see the greatest risks and opportunities tied to this concept of time?
SEWALL: Well, you know we already have risks today as I mentioned, but the real risks do rest in the future. And it's sort of an opportunity for a lot of businesses to capitalize now to get ahead of the curve. For example, the payment card industry data security standard, or PCI DSS, is an indication that the regulators and industry standards organizations are beginning to take time setting practices seriously. If you look at Section 10.4 of the PCI DSS, it has some lengthy requirements about how businesses should keep time, and the courts aren't far behind. It is a virtual certainty that probably five years from now time-setting standards in litigation will be far more rigorous.
The problem is that you can't fix today's time settings or time stamps five years form now when you go into court. So you need to start today to be prepared for that future risk.
FIELD: This is something that you have worked with for some time now; what do you find businesses and government agencies simply misunderstand about time?
SEWALL: Well, it's not so much they misunderstand; we just don't understand at all. Very few people really understand the inner workings of time setting. Except for a small number of physicists, engineers and time hobbyists, there are not a lot of time experts out there and for good reason; it's a very complicated subject. You know, we all take it for granted, but the reality is that it is very complex underneath.
A good example is there is no such thing as a perfect time setting. The time of day that you use for your watch or use as a time stamp on your data records, essentially it is a fiction that mankind has created to facilitate processes. Yet, we rely on this fiction to perform a myriad of very critical functions. I have been working in technology for over 20 years and have specialized in the area of time setting for over a year. Yet everyday I come to work, I learn something new. So it is no surprise that most auditors and regulators, governmental agencies, have a minimal understanding of how time really works. And in addition, there aren't that many solutions out there that can provide a reliable, provable time. So if there are no solutions, why spend a lot of time learning about the problem? And if there are no solutions, auditors and regulators are going to have little incentive to write up a business for sloppy time setting practices.
The critical point is that there are solutions now becoming available in the marketplace, and that will lead to an increased understanding of the underlying workings of time and will result in increased requirements from auditors and regulators for how you run your internal time setting practice in the business.
FIELD: So, Bill, you have done a number of webinars for us over the years, and you have just done a new webinar on this very topic. What is the gist of it?
SEWALL: Basically it is an overview of how time setting works in the digital environment. The various ways that businesses can get their time -- and it is amazing how many sources of time that there are out there -- and the significant problems and deficiencies that we face in setting time. The webinar then goes over an extensive set of recommendations for how you can address these problems.
A good example is GPS, because a good number of businesses use the GPS navigation system also for setting time, and the webinar goes over in detail how GPS time setting works and its problems. For example, GPS is easily spoofed. You know, for about $1,000 bucks you can make a GPS tell you that you are standing in Piccadilly Square or in the middle of Tokyo and you know, you are actually sitting at home in Iowa. The other point is that GPS is a military system, and relying on a military system for critical commercial or consumer processes is a pretty risky thing to do, especially from a business continuity standpoint. So the webinar takes GPS and gives you some simple solutions to get around these problems and how to build a far more secure GPS time setting practice.
FIELD: One more question for you Bill. If you could tease our audience today with one salient point about time that they might not know, what is that?
SEWALL: Well, there is one major dirty little secret about time. You know time is the last vestige that I have seen of that old "garbage in/garbage out" problem. Far too much of our data has inaccurate or defective time stamps, and time is just unreliable if not worthless for forensics and compliance purposes. If you use log management software from an outside vendor, just ask that vendor what time stamps they use for analysis in their application. They likely will be reluctant to tell you because the dirty little secret is they don't use your time stamps, they use their own. They just don't trust yours because they know most of their client's time data is not reliable.
So the bottom line is, if you are going to address this dirty little secret, you need to start now to prepare your systems to have far more rigorous time setting practices so that in the future this doesn't catch up with you and you will be prepared.
FIELD: Well, Bill, it seems most appropriate to thank you for your time today.
SEWALL: Thank you, Tom.
FIELD: It's been a pleasure talking with you. We have been talking with Bill Sewall, and the topic has been time. For Information Security Media Group, I'm Tom Field. Thank you very much.