GPG13 Compliance

If you’re a part of Her Majesty’s Government (HMG), also known as the Government of the United Kingdom, complying with Good Practice Guide 13 (GPG13) is a priority for your organization — especially if you’re interested in accessing central government data. Due to the sensitivity of this information, the U.K. maintains a strict GPG13 compliance checklist.

What Is GPG13?

As a part of the U.K.’s commitment to security, it delivers central government data via the Government Secure Connect Extranet (GSCX). Access to GSCX requires adherence to the Code of Connection (CoCo), which specifies GPG13 compliance. For government agencies, like the Ministry of Justice, GPG13 compliance entails a thorough checklist, as the guideline features 12 Protective Monitoring Controls (PMCs), as well as six Impact Levels and four Recording Profiles.

Who GPG13 Affects

GPG13 pertains to the following organizations:

  • Members of HMG
  • Service providers to HMG
  • Outsourcing companies to HMG

In short, if you’re involved with the U.K.’s government systems and networks, you can expect that GPG13 applies to you.

What Are GPG13 Compliance Requirements?

If you’re compiling a GPG13 compliance checklist, focus on the 12 PMCs, which include:

  • PMC 1: Ensure logs, such as for accounting and auditing, have accurate and consistent time stamps.
  • PMC 2: Record all cross-boundary traffic and confirm validity.
  • PMC 3: Analyze boundary traffic and identify suspicious activity.
  • PMC 4: Identify status changes to servers, network devices and workstations through pre-defined alerts and automated reports.
  • PMC 5: Implement recording of suspicious activity on your internal network through notifications.
  • PMC 6: Track, record and analyze network connections.
  • PMC 7: Establish alerts to recognize and analyze suspicious user and workstation activity.
  • PMC 8: Create a backup and business continuity plan that protects data integrity and availability.
  • PMC 9: Define factors that classify as critical events and deliver real-time alerts and reports.
  • PMC 10: Confirm the validity and integrity of auditing processes.
  • PMC 11: Develop a procedure for producing accurate reports for accessing the performance of your PMC compliance.
  • PMC 12: Provide proof that security measures, including monitoring and data collection, are lawful and secure.

The next component of GPG13 compliance is defining your Recording Profile. Four options are available, including:

  • Defend: You require the highest level of protection, which is why you’re geared to defend against sophisticated attacks.
  • Defend and Resist: You require a high level of protection, which is why you’re set-up to detect and resist attacks.
  • Deter: You require a medium level of protection, which is why you’re equipped to prevent skilled attacks.
  • Aware: You require a standard level of protection, which is why you’re prepared to recognize known attacks and vulnerabilities.

Following your choice of Recording Profile, you move onto Impact Level on your GPG13 compliance checklist. Six levels are available, including:

  1. Aware
  2. Deter
  3. Deter
  4. Detect and Resist
  5. Defend
  6. Defend

The higher the level, the increased impact your organization’s data would have if compromised.

How to Attain GPG13 Compliance

As demonstrated, GPG13 compliance focuses on cybersecurity, with a specific emphasis on log management, event logging and security monitoring. For many agencies of HMG, as well as service providers and outsourcing businesses, it requires a substantial amount of resources to attain and maintain GPG13’s requirements for compliance. That’s why they entrust the responsibility to CYBERShark™, which is BlackStratus’ cloud-based managed security solution that’s engineered to comply with GPG13.

CYBERShark delivers GPG13 compliance and exceptional cybersecurity with the following features:

  • Advanced reporting tools to ensure GPG13-compliant event log management
  • Continuous network monitoring to provide GPG13-compliant security monitoring
  • Sophisticated architecture to support GPG13-compliant business continuity
  • Dynamic correlation and real-time alerts to maintain GPG13-compliant event logging

Discover the complete features of CYBERShark and how it checks off every item on your GPG13 compliance checklist by requesting a free demo today!