In the UK, public sector and other local governmental organizations will need to know Good Practice Guide 13 or GPG13 if they wish to access central government data. Why? Data from agencies such as National Health Service and Ministry of Justice are delivered over a special private network, called the Government Secure Connect Extranet (GSCX). To access GSCX, local governments have to meet the Code of Connection (CoCo), which in turn specifies GPG13 as a framework of IT and network monitoring measures that must be met. Essentially, GPG13 is intended to protect data at the boundary of the network.
Within GPG13, there are 12 Protective Monitoring Controls or PMCs, which call for organizations to monitor suspicious user and network activity, as well as log other forensic information. Associated with the PMCs are Recording Profiles, which describe the level of protection required. Overall, there are four Recording Profiles, which, ranked from highest to lowest are: Defend, Defend and Resist, Deter, and Aware. In practice, the Recording Profile for each PMC is left up to the organization, and it will depend on the Impact Level—there are six levels– of the specific data. Generally, higher Impact Level data requires a stricter Recording Profile.
The following list describes how Varonis can help meet each PMC:
|PMC1 Accurate time in logs||Provide a means to ensure that accounting and auditing logs record accurate time stamps.||DatAdvantage captures all events in real-time, as they happen, and records an accurate timestamp for every event.|
|PMC4 Recording on internal workstation, server, or device status||Define a set of Alerts and Reports that will identify configuration and status changes on internal workstations, servers and network devices.||Varonis DatAdvantage can report on changes to permissions to data, additions and removals from security groups, access behavior patterns, and more. Customers can setup alerts and automated reports based on a wide array of criteria which allow them to detect when incidents of concern occur.|
|PMC5 Recording relating to suspicious internal network activity||Define a set of Alerts and Reports that will identify suspicious activity across internal network boundaries from either internal or external agents.||DatAdvantage baselines every user’s normal data access patterns and can alert administrators whenever deviation in activity occurs.|
|PMC7 Recording on session activity by user and workstation||Define a set of Alerts and Reports that will identify suspect user activity or allow forensic analysis of user activity within the network.||The DatAdvantage auditing functionality tracks all access to data. Varonis DatAdvantage captures every data access event, by all users, from any workstation, throughout the unstructured and semistructured data environment.|
|PMC8 Recording on data backup status||Ensure a backup and recovery process is defined an adhered to, such that the business can be confident of integrity and availability of the network resources.||Varonis Data Transport Engine lets you define when and how often migration, archiving, and data deletion tasks should take place. Archiving happens automatically and doesn’t impact users who may be accessing data at the time.|
|PMC9 Alerting critical events||Define a set of real-time Alerts and Reports that will identify events classified as “Critical” by the organization.||All audit events are collected in real-time and Varonis administrators can pull events into the central reporting/alerting database on-demand.|
|PMC10 Reporting on the status of the audit system||Define a set of Alerts and Reports that will allow confidence in the integrity of the auditing system, such that the output of this system can be relied upon in a court of law||Varonis has a mechanism for ensuring that its services are always running; if for some reason a Varonis service is stopped, a notification is raised for IT via email.|
|PMC11 Production of sanitized and statistical management report||Define a set of Reports that will provide feedback to management on the performance of the Protective Monitoring system effectiveness.||DatAdvantage can produce a series of management reports that show the state of data protection within an organization. This includes the # of folders, SharePoint sites, mailboxes, and public folders with overly permissive ACLs, broken ACLs, unused groups and users, stale data, sensitive data, and more.|
|PMC12 Providing a legal framework for protective monitoring activities||Define a requirement that will ensure all monitoring is conducted in a lawful manner, and that the collected data is, in its self, protected and treated as sensitive data||DatAdvantage collects metadata only – this includes access activity (who, what, when, how) and content classification metadata, but does not store the data itself. Still, the metadata that Varonis collects is stored on dedicated servers and is typically not accessible to anyone but the people authorized to administer the Varonis software.|