...Protective Monitoring...
Executive Summary
What is GPG13 and how do I get GPG13 compliance? Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.
Essentially, a Protective Monitoring solution will provide visibility and an understanding of who is accessing your organisations sensitive data.
Implementation of protective monitoring solutions are recommended in a number of regulatory and industry best practices, such as PCI DSS , Cyber Security and SOX. While it is not compulsory for private organisations to implement a Protective Monitoring solution, most organisations would be remiss in their care of duty if not implementing a solution, when it comes to security controls required to protect third party data within their organisations. It is therefore likely that Protective Monitoring will compose a portion of the security and risk controls in most, if not all, organisations.
Implementation of Good Practice Guide 13 is a strong recommendation for all HMG ICT Systems, and is essentially compulsory for systems that store high impact level data.
The goal of a Protective Monitoring system is to ensure that there is a level of operational insight, to ensure that organisations have an understanding of how their IT systems are being used or abused by internal or external agents.
There are significant proof points that demonstrate organisations without a monitoring system will take a significant period of time to discover that an internal or external breach has occurred. In fact, for most organisations, on average, it would be months after a breach has occurred before it would be discovered. It is also likely, in 86% of cases, that the actual detection will be discovered by an external party, that will then inform the breached organisation.
Obviously this is a huge threat to the organisations reputation, and also a significant financial threat if the organisation is under an obligation to implement strong controls.
Organisations without Protective Monitoring are also likely to impact the IT systems confidentiality, integrity and availability, further impacting business sustainability and reputation.
The Security Policy Framework (SPF) , published by the UK Cabinet Office, sets out mandatory standards and provides guidance on risk management, compliance and assurance programs.
The Security Policy Framework is a public ally available guide that replaces the less distributed Manual of Protective Security and the Counter-Terrorist Protective Security Manual.
Good Practice Guide 13, Protective Monitoring, is obligated by the Security Policy Framework on organisations that process or stores high impact data.
Further more, implementation of GPG13 will support HMG IA Standard No.1; which is a set of guidelines for a Technical Risk Assessment.
GPG13 consists of twelve Protective Monitoring Controls (PMC), each of which is designed to improve an organisations risk profile. A description of each can be found in the pane on the right.
Individual Protective Monitoring Controls
The Protective Monitoring controls are known as PMC's. There are total of twelve.
In the far right hand pane is a
summary of the twelve PMC's.
A great website about Enterprise Risk Management
A great website about Risk Assessment
Summary
-
Protective Monitoring Wiki
This site contains a Wiki on Protective Monitoring
(LINK)
-
Security Policy Framework
This site contains a Wiki on the Security Policy Framework
(LINK)
-
Latest Security News
This is site contains a great news feed around Security
(Information Security Magazine)
-
CESG Website
This site is the official CESG UK Government website
(LINK)
Related Sites
-
Cyber Security Controls
For those interested in Cyber Security controls this site contains useful information.
(Hack Attempts)
-
Cyber Security
This site links to more information about Cyber Security controls.
(Cyber Security)
Protective Monitoring Controls
Below is a summary of the twelve Protective Monitoring Controls for Good Practice Guide 13 (GPG13). Good Practice Guide 13 supersedes Memorandum 22 (Memo 22).
PMC 1 - Accurate time in logs
The objective of PMC1 is to provide a means to ensure that accounting and auditing logs record accurate time stamps.
PMC 2 - Recording of business traffic crossing a boundary
The objective of PMC2 is to define a set of Alerts and Reports that will identify authorized vs non-authorized business traffic across the network boundary.
PMC 3 - Recording relating to suspicious activity at the boundary
The objective of PMC3 is to define a set of Alerts and Reports that will identify suspicious network traffic crossing the network boundary.
PMC 4 - Recording on internal workstation, server or device status
The objective of PMC4 is to define a set of Alerts and Reports that will identify configuration and status changes on internal workstations, servers and network devices.
PMC 5 - Recording relating to suspicious internal network activity
The objective of PMC5 is to define a set of Alerts and Reports that will identify suspicious activity across internal network boundaries from either internal or external agents.
PMC 6 - Recording relating to network connections
The objective of PMC6 is to
define a set of Alerts and Reports that
will identify temporary connections to the network, such as
those
made via a VPN or wireless connection.
PMC 7 - Recording on session activity by user and workstation
The objective of PMC7 is to define a set of Alerts and Reports that will identify suspect user activity or allow forensic analysis of user activity within the network.
PMC 8 - Recording on data backup status
The objective of PMC8 is to ensure a backup and recovery process is defined an adhered to, such that the business can be confident of integrity and availability of the network resources.
PMC 9 - Alerting critical events
The objective of PMC9 is to
define a set of real-time Alerts and
Reports that will identify events classified as "Critical" by the
organisation.
PMC 10 - Reporting on the status of the audit system
The objective of PMC10 is to define a set of Alerts and Reports that will allow confidence in the integrity of the auditing system, such that the output of this system can be relied upon in a court of law.
PMC 11 - Production of sanitised and statistical management reports
The objective of PMC11 is to define a set of Reports that will provide feedback to management on the performance of the Protective Monitoring system effectiveness.
PMC 12 - Providing a legal framework for Protective Monitoring activities
The objective of PMC12 is to define a requirement that will ensure all monitoring is conducted in a lawful manner, and that the collected data is, in its self, protected and treated as sensitive data.
