Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.
The GPG13 standard includes twelve Protective Monitoring Controls,. The below section explains what requirements must be met to meet your obligations for Protective Monitoring Control number twelve.
The objective of PMC12 is to define a requirement that will ensure all monitoring is conducted in a lawful manner, and that the collected data is, in its self, protected and treated as sensitive data.
Depending on the Impact Level of the organisations data that you are trying to protect you will have one of four recording profiles.
The required Recording Profiles for each Impact Level Data is described below:
Impact Level 1 Data – Recording Profile Aware
Impact Level 2 Data – Recording Profile Deter
Impact Level 3 Data – Recording Profile Deter
Impact Level 4 Data – Recording Profile Detect and Resist
Impact Level 5 Data – Recording Profile Defend
Impact Level 6 Data – Recording Profile Defend
Below is a summary of your obligations under each recording profile:
Aware
No recording profile required at this segment level
Deter
Report on user sign up activity to defined terms and condition of network usage terms
Detect and Resist
Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures
Any re-affirmation should also be logged an reported
Defend
Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures and hardware tokens or smart card reference
Any re-affirmation should also be logged an reported
Technology Required
Computer Usage Management Software
The Computer Usage Management software should be able to to display an acceptable network usage policy and capture the user acceptance of this policy.
It would be helpful, but not compulsory, to be able to “Test” the Users understanding of the policy to ensure full comprehension. This would be important if relying on such a policy to instigate disciplinary actions. You would need to have sufficient comfort that the User did indeed read and understand the policy.
Notes:
This Protective Monitoring Control requires specific technology that can track user acceptance of terms and conditions of network usage. This would typically require technology that is different from the reporting and alerting framework.