Protective Monitoring for HMG ICT Systems, based on Communications-Electronics Security Group's Good Practice Guide 13 (GPG-13), is a framework that all HMG organizations are required to follow in order to gain access to the UK Government Connect Secure Extranet (GCSX). These guidelines were put in place to provide security administrators and other IT professionals with an audit trail of relevant security and operations related events on their network. The 12 Protective Monitoring Controls (PMC) within GPG-13 describe specific requirements that an organization must meet in everyday practice as well as in audit situations. These requirements can help an organization in IT forensics, incident response and management, and maintaining the integrity of their individual enterprise. Control obligations are directly addressed or augmented through LogRhythm report packages, AIE rules, Investigations, and Tails.
The LogRhythm GPG-13 Advanced Compliance Suite provides bundled Alarms, Investigations, and Reports to help demonstrate regulatory compliance. The GPG-13 Auditor will check for specific line-item regulations to be met by LogRhythm. This section describes the proper usage of the following functions:
- Security Operations
- IT Operations
- Security Management
GPG-13 Suite Usage for Security Operations
To demonstrate regulatory compliance, security and IT operations personnel must perform the vital role of properly managing and using the LogRhythm GPG-13 Advanced Compliance Suite. This section describes the necessary security and IT operations functions:
- Compliance Monitoring
- Compliance Incident Handling
- IT Operations Compliance Monitoring
Security Operations Compliance Monitoring
The monitoring process required by GPG-13 involves both automated and manual activities. The automated activities are typically associated with Alarms, Dashboards, and Report generation used by security operations personnel. Investigations are used to identify, report, and remediate incidents.
To meet GPG-13 standards, GPG-13 requires:
- 24x7x365 monitoring
- Review of the information collected by LogRhythm
Monitoring requirements are located throughout the GPG-13 Standards. The most effective way to meet the monitoring requirements is for the security operations personnel to monitor alarms, observe dashboard activity, and review reports produced around daily security operations. The GPG-13 AI Engine Rules are configured to notify security operations personnel in the event of a security related event.
Security Operations Incident Handling
The GPG-13 Auditors would be most interested in the Usage Auditing Event Detail reports. They provide proof of manual interaction with LogRhythm and answer questions such as:
- Is the organization performing investigations?
- Are they routinely generating reports for security events?
- Have they been performing their tasks on a regular schedule?
IT Operations Compliance Monitoring
To demonstrate regulatory compliance, IT operations personnel must perform the vital role of mitigating infrastructure related errors and failures. The most effective way to meet the monitoring requirements is for the IT operations personnel to monitor for critical and error alarms, and to review critical and error reports.
GPG-13 Suite Usage for Security Management
To demonstrate regulatory compliance, security management personnel must oversee the usage of the LogRhythm GPG-13 Advanced Compliance Suite. This section describes the necessary security management functions of monitoring security operations functions.
The process of monitoring security operations functions involves monitoring of the security posture of the organization as a whole and also monitoring of security operations processes such as incident response. The most effective way to monitor both the security posture of the organization and security operations functions is by reviewing daily reports related to the security management.
GPG-13 Suite Usage for Audit
GPG-13 provides a clear and concise set of requirements and the testing procedures for these requirements. LogRhythm provides:
- Proof of GPG-13 requirements by collecting and reviewing log data on a regular basis
- Automated monitoring through Alarming AI Engine rules
- Forensic investigations and tails of recent activity
- Manual and automated generation of reports
Keeping LogRhythm operational is not enough to satisfy all requirements for GPG-13. Security operations personnel must also review the analyzed data periodically in order to meet compliance. The LogRhythm Usage Auditing Event Detail reports show which activities are being performed, by whom, and when. They show that people have been performing their duties by regularly performing investigations, generating reports, and handling routine administrative tasks.
Automated Security and Monitoring are required for many GPG-13 conditions, such as proof of logs being collected, proof of attacks being detected, and proof of all authentication failures being recorded. To demonstrate regulatory compliance, reporting packages can be configured according to auditor requests and available reports.