How to approach Good Practice Guide 13 (GPG13) for CoCo compliance

Though mandatory for CoCo compliance, Good Practice Guide 13's protective monitoring controls are seldom implemented by organisations.

Good Practice Guide 13: Have you heard of it? If not, you're not alone. Many organisations know little about the...

guide, now in version 1.5 as of August 2010, and few have even made attempts at compliance.

The guide, however, is a mandatory aspect of CoCo compliance, a set of regulations that determines which organisations are allowed on the Government Connect Secure Extranet. This means, if your organisation wishes to achieve or maintain such permissions, now's the time to review the guide.

The bulk of GPG13's guidance has to do with protective monitoring, including technologies such as IDS/IPS, and policies for logging and log analysis. This overview of GPG13 comprises recent headlines regarding the guide, as well as an expert technical article from contributor Michael Cobb explaining exactly what the guide is, the technologies you may want to consider implementing for compliance, and advice on where to begin.

Organisations unaware of Good Practice Guide 13 monitoring guidelines
(see link below)
As of October 2010, only 38% of public-sector organisations are aware that CESG's Good Practice Guide 13 exists. This article explains the usefulness of the guide for deploying protective monitoring technologies and controls.

Company files at risk of employee data theft
(see link below)
Is it likely your organisation's employees would take company files with them if they leave their jobs? A recent survey sheds light on the threat of employee data theft, and gives advice on how adherence to GPG13 directives could prevent such data loss.

Good Practice Guide 13: Security monitoring policy for CoCo compliance
(see link below)
In this tip, security expert Michael Cobb explains the basic tenants of GPG13, including the 12 protective monitoring controls it prescribes, the necessary technologies for creating those controls, and how to perform risk assessments to make sure those technologies are commensurate with threat levels.

Read more on IT risk management