CESG Good Practice Guide Number 13 (GPG13) provides guidance to HMG Departments and Agencies, and private sector organisations delivering products and services into HMG, on the Protective Monitoring (PM) of ICT systems. PM is a set of business processes and technical security controls, which can enable the oversight of ICT system use; it also can assure user accountability in terms of their actions when operating ICT systems. Even the most basic ICT system has in-built functionality which enables event and incident recording, and alerting. However these records must be reviewed regularly or else they may not provide any business value. More importantly failure to review these logs could enable those wishing to misuse ICT resources and information they store, create or otherwise process, to do so without fear of discovery. Therefore there is an increased risk that the Confidentiality, Integrity and Availability of such systems can be adversely affected.
There is a misguided belief that technological solutions such as intruder detection and prevention systems, and firewalls can be simply deployed and forgotten; thereby providing an automated, all encompassing panacea, with zero-administrative overheads and flawless protection. This is never the case. GPG13 illustrates and provides evidence that the application of an effective PM framework will contribute to the treatment of Information Security risks; almost inevitably PM requires financial investment in terms of equipment and infrastructure; however of equally importance is that a PM solution is properly resourced in terms of manpower, expertise and Information Assurance and Security support and management.
CHANGE TO SYSOLS BLUE. The aim of this tool is to enable the assessment of an organisation's extant technical controls and PM framework; it may also be used to conduct through-life reviews in support of reporting in connection with an organisation's security strategy. CHANGE TO SYSOLS BLUE.
Accurate Time in Logs
Recording of Business Traffic Crossing a Boundary
Recording Relating to Suspicious Activity at the Boundary
Recording on Internal Workstation, Server or Device Status
Recording Relating to Suspicious Internal Network Activity
Recording Relating to Network Connections
Recording on Session Activity by User and Workstation
Recording on Data Backup Status
Alerting Critical Events
Reporting on the Status of the Audit System
Production of Sanitised and Statistical Management Reports
Providing a Legal Framework for Protective Monitoring Activities