Organisations unaware of Good Practice Guide 13 monitoring guidelines

A recent survey reveals that only 38% of public-sector organisations are aware that CESG's Good Practice Guide 13 exists. Ron Condon reports.

Mandatory guidelines for the protective monitoring of public-sector IT systems have yet to be implemented in the majority of organisations, and, as a result, government IT systems may not be prepared to detect and thwart emerging threats, or guard adequately against data leakage.

GPG13 is a huge document, and it needs to be broken down into more manageable chunks. CESG  is moving to address that.

Mark Brett,
head of information assuranceSociety of Information Technology Management

This assessment comes from a recent survey of 130 public bodies commissioned by log management company LogLogic Inc. and carried out by research company Vanson Bourne Ltd.

Just 10% of organisations surveyed indicated they had implemented Good Practice Guide 13 (GPG13), a set of guidelines issued by the Cabinet Office to promote what it calls "protective monitoring," which is the use of logs and intrusion detection systems to track the movement of data and to prevent data theft.

The research found that 62% of organisations were unaware of GPG13 altogether. Of those that were aware, 80% said their boards regarded it either as a pointless exercise, or, at best, a necessary evil.

Categorizing the IT and security professionals surveyed, 43% were in local government, 29% in health care, 18 % in central government, 4% in defence and 6% from other public-sector organisations, such as the fire service.

GPG13 is a set of controls that form part of the Code of Connection (CoCo), a prescriptive technical standard that local authorities need to meet in order to gain access to the Government Secure Extranet. Most local authorities have become CoCo compliant, but no firm deadline has been set for meeting the GPG 13 requirements.

Mark Brett, head of information assurance at the Society of Information Technology Management (SocITM), the professional body for public-sector IT, said protective monitoring is now more important than ever, but that the message had not yet been effectively communicated. "Current defences are great at picking up known threats, but protective monitoring is needed to detect some of the new threats we are seeing," he said.

Protective monitoring can also help to detect or prevent any accidental or malicious loss of data, he added.

"GPG has been thrown in as a CoCo control without having its full value explained to people," Brett said. "Protective monitoring will be one of the important defences in the future, but it's fair to say this has not been well-explained so far. That is a job we've got to do to raise awareness of why it is very important."

He said that SocITM is working with the Local Government Association to produce guidance notes within the next few months to help local authorities get to grips with protective monitoring, and will also offer advice on available technology.

"GPG13 is a huge document, and it needs to be broken down into more manageable chunks. CESG [the government's technical authority on security] is moving to address that," Brett said.

Despite the cuts in public spending, Brett said SocITM will be providing advice on the types of protective monitoring tools available. "There are some open source tools, such as Snort and Nessus, that are very good. There are also some very good commercial log management tools but they can be expensive. Authorities have to decide whether they want to hitchhike or be chauffeur-driven," he said.

"My advice to authorities is to have some form of log management and intrusion protection in place, but make sure it is appropriate to the type of business you are trying to manage," Brett said. "If local authorities are going to push more services onto the Web, that has to be done in a secure way."

Read more on Network security management