Executive Summary


What is GPG13 and how do I get GPG13 compliance? CESG Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.

Essentially, a Protective Monitoring solution will provide visibility and an understanding of who is accessing your organisations sensitive data.

Implementation of protective monitoring solutions are recommended in a number of regulatory and industry best practices, such as PCI DSS , Cyber Security and SOX. While it is not compulsory for private organisations to implement a Protective Monitoring solution, most organisations would be remiss in their care of duty if not implementing a solution, when it comes to security controls required to protect third party data within their organisations. It is therefore likely that Protective Monitoring will compose a portion of the security and risk controls in most, if not all, organisations.

Implementation of Good Practice Guide 13 is a strong recommendation for all HMG ICT Systems, and is essentially compulsory for systems that store high impact level data.

The goal of a Protective Monitoring system is to ensure that there is a level of operational insight, to ensure that organisations have an understanding of how their IT systems are being used or abused by internal or external agents.

There are significant proof points that demonstrate organisations without a monitoring system will take a significant period of time to discover that an internal or external breach has occurred. In fact, for most organisations, on average, it would be months after a breach has occurred before it would be discovered. It is also likely, in 86% of cases, that the actual detection will be discovered by an external party, that will then inform the breached organisation.

Obviously this is a huge threat to the organisations reputation, and also a significant financial threat if the organisation is under an obligation to implement strong controls.

Organisations without Protective Monitoring are also likely to impact the IT systems confidentiality, integrity and availability, further impacting business sustainability and reputation.

The Security Policy Framework (SPF) , published by the UK Cabinet Office, sets out mandatory standards and provides guidance on risk management, compliance and assurance programs.

The Security Policy Framework is a public ally available guide that replaces the less distributed Manual of Protective Security and the Counter-Terrorist Protective Security Manual.

Good Practice Guide 13, Protective Monitoring, is obligated by the Security Policy Framework on organisations that process or stores high impact data.

Further more, implementation of GPG13 will support HMG IA Standard No.1; which is a set of guidelines for a Technical Risk Assessment.

GPG13 consists of twelve Protective Monitoring Controls (PMC), each of which is designed to improve an organisations risk profile. A description of each can be found in the pane on the right.

© 2006-2022 Protective Monitoring – GPG13.