Protective Monitoring: PSN & GPG13 Compliance
Protective Monitoring for HMG ICT Systems is based on PSN & CESG’s Good Practice Guide no.13 (GPG 13.)
CNS Mosaic is a PSN MSSP
CNS Mosaic is a Public Services Network (PSN) accredited managed security services provider (MSSP) in good standing offering a fully compliant protective monitoring and compiance managed security service (MSS), Mosaic COMPLY & SECURE (service number: SRV_0220).
As a PSN compliant MSS, Mosaic COMPLY & SECURE delivers a plethora of government accredited managed services. These services include: Protective Monitoring, Threat Protection, Vulnerability Management, Network Security Monitoring, Managed Firewalls, Remote Access & IDS supported by wrap around services such as incident response and compliance consultancy (CLAS & CCP). The service, which is run through our managed Security Operations Centre (SOC), is able to support a range of Government Classifications up to and including OFFICIAL (SENSITIVE) (IL2, IL3, IL4). The minimum level for PSN services is OFFICIAL, and services at that level and above have appropriate assurance and accreditation. By putting in place the necessary processes, accreditation and compliance, CNS Mosaic with the Mosaic COMPLY & SECURE service, have joined an elite group of firms able and authorised to support the PSN.
CESG Good Practice Guide 13
Whether it is a private or public organisation requiring compliance to the HMG Code of Connection (CoCo) or a Local Authority requiring compliance to the GCSx Government Connect Program all must adhere to a number of mandatory controls that ensures the confidentiality, integrity and availability of classified data and the system components that house them.
One of those mandatory controls that bind all Government compliance programs together is the need to adhere to the CESG Good Practice Guide 13; Protective Monitoring for HMG ICT System (GPG 13)
, especially the need to provide a detailed level of logging and alerting for business critical systems.
All Government departments are unique. However, with the potential of GPG 13 meaning that millions of logs required to be captured, analyzed, alerted upon and stored daily all face similar challenges in developing and managing log data efficiently to help solve complex compliance challenges.
CNS Mosaic understands these challenges and have designed the most comprehensive managed log management, log analysis and event management service available;
LOGGING AND ALERTING SERVICE
CNS’s CESG GPG 13 Compliant Managed Logging and Alerting Service is a comprehensive log management solution that complies with GPG 13; namely the need to ensure the integrity of classified data by outsourcing all the daily log monitoring and data analysis needs into a package that:
• Establishes a process for linking all access to system components, especially access done with administrative privileges such as root, to each individual user;
• Implements automated audit trails for all system components to reconstruct events;
• Synchronizes all critical system clocks and times;
• Secures audit trails so they cannot be altered;
• Backs them up to a secure, offsite location;
• Reviews logs for all system components at least once a day;
• Retain audit trail history for at least one year with a minimum of three months available online.
CNS are able to log, track, and analyze user and system activity, while eliminating the burden of building, configuring, maintaining, and monitoring an in-house data collection solutions. The service offers:
• Event generation;
• Alert generation;
• Event filtering;
• Event normalization;
• Event parsing;
• Secure event relay and collection;
• Event correlation;
• Event analysis.
WHAT NEEDS TO BE MONITORED AND ALERTED UPON
There is a minimum level of logging required to meet GPG 13 Standards. However a balance needs to be drawn on appropriate levels of monitoring and alerting; too little leads to non-compliance whilst too much makes log files and the devices use to manage them unwieldy. If too much logging is enabled it can also cause the logged OS/Application to crash or slow down.
In addition alerts are only useful if there is a process and personnel in place to intake, analyze, and respond to them on a timely basis. In short, the system has to be comprehensive but at the same time it has to be workable.
Therefore CNS consultants work closely with the customer to help ensure that the log monitoring technology is configured properly as each customer’s needs are different.
How This is Achieved
The Service uses the Mosaic COMPLY & SECURE platform to monitor, alert and indicate effective compliance to the standard required. Through this platform CNS is able to collect, aggregate, and pre-filter raw logs from the sources monitored. The technology then allows for logs to be stored locally, as well as forwarding them to the secure NOC for analysis and long-term storage.
Upon receipt of a security-relevant event (on a 24x7x365 basis), an alert is triggered. A CNS analyst then determines whether the event represents suspicious activity and is therefore deemed a legitimate threat or not, and, if so notifies the relevant personnel, irrespective of the time of day.
All CNS consultants who make up the Managed Service Offering are certified professionals who all have SC clearance and have either been NPPV or MV vetted.
To ensure that the appropriate method of logging and alerting is configured filtering rules are applied on each device in question. These are to ensure that CNS both captures and reports on:
• Successful login/logoff (logged only)
• Unsuccessful login/logoff (logged and alerted)
• Unauthorised Application Access (logged and alerted)
• System Changes (logged and alerted)
Once all this is done the CNS Managed Service Team then evaluates data collected through the service; and promptly reports and responds to any security threat.
Determining the actual events to monitor and log upon varies on each system component deployed. GPG 13 defines a minimum list of system events to be logged (or, to allow “the events to be reconstructed”). Such requirements are motivated by the need to audit and monitor user actions as well as other events that can affect classified data (such as system failures).