Providing a Legal Framework For Protective Monitoring Activities

By

Apr 18th, 2015


Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.

The GPG13 standard includes twelve Protective Monitoring Controls,. The below section explains what requirements must be met to meet your obligations for Protective Monitoring Control number twelve.

The objective of PMC12 is to define a requirement that will ensure all monitoring is conducted in a lawful manner, and that the collected data is, in its self, protected and treated as sensitive data.

Depending on the Impact Level of the organisations data that you are trying to protect you will have one of four recording profiles.

The required Recording Profiles for each Impact Level Data is described below:

Impact Level 1 Data – Recording Profile Aware

Impact Level 2 Data – Recording Profile Deter

Impact Level 3 Data – Recording Profile Deter

Impact Level 4 Data – Recording Profile Detect and Resist

Impact Level 5 Data – Recording Profile Defend

Impact Level 6 Data – Recording Profile Defend

Below is a summary of your obligations under each recording profile:

Aware

No recording profile required at this segment level

Deter

Report on user sign up activity to defined terms and condition of network usage terms

Detect and Resist

Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures

Any re-affirmation should also be logged an reported

Defend

Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures and hardware tokens or smart card reference

Any re-affirmation should also be logged an reported

Technology Required

Computer Usage Management Software

The Computer Usage Management software should be able to to display an acceptable network usage policy and capture the user acceptance of this policy.

It would be helpful, but not compulsory, to be able to “Test” the Users understanding of the policy to ensure full comprehension. This would be important if relying on such a policy to instigate disciplinary actions. You would need to have sufficient comfort that the User did indeed read and understand the policy.

Notes:

This Protective Monitoring Control requires specific technology that can track user acceptance of terms and conditions of network usage. This would typically require technology that is different from the reporting and alerting framework.

Leave a Reply

You must be Logged in to post comment.

 






© 2006-2017 Protective Monitoring – GPG13.