Control Descriptions

PMC1 - Accurate time in logs

Control Description: Provide a means of providing accurate time in logs and synchronisation between system components with a view to facilitating collation of events between those components. This can be achieved by any or all of the following means:

  • Providing a master clock system component which is synchronised to an atomic clock
  • Updating device clocks from the master clock using the Network Time Protocol (NTP)
  • Record time in logs in a consistent format (Universal Co-ordinated Time (UTC) is recommended)
  • As a fallback, checking and updating device clocks on a regular basis (for example, weekly).

Projects should define the error margin for time accuracy according to business requirements. The following issues also must be considered:

  • Some devices might not support clock synchronisation and must be manually maintained
  • Although recording time in UTC, the human interface should also support local time
  • Clocks drift on mobile devices (e.g. Portable Electronic Devices (PEDs)) might require correction upon attachment.

PMC2 - Recording relating to business traffic crossing a boundary

Control Description: The objective of this control is to provide reports, monitoring, recording and analysis of business traffic crossing a boundary with a view to ensuring traffic exchanges are authorised, conform to security policy, transport of malicious content is prevented and alerted, and that other forms of attack by manipulation of business traffic are detected or prevented.

The main requirement is to provide an accountable record of imports and exports executed by internal users and to track cross-boundary information exchange operations and the utilisation of any externally visible interfaces. This includes all checking of cross-boundary movement of information, content checking and quarantining services.

Application based checks can be applied to business traffic to accept legitimate transactions and reject and alert malformed exchanges.

PMC3 - Recording relating to suspicious behaviour at a boundary

Control Description: The objective of this control is to provide reports, monitoring, recording, and analysis of network activity at the boundary with a view to detecting suspect activity that would be indicative of the actions of an attacker attempting to breach the system boundary or other deviation from normal business behaviour.

The main requirement is to receive information from firewalls and other network devices for traffic and traffic trend analysis. This enables detection of common attacks such as port scanning, malformed packets and illicit protocol behaviours.

An intrusion detection service is a recommended defence at the boundary with any untrusted network (for example, the Internet). It might also be a mandated requirement in codes of connection for membership of community of interest networks (such as GSI). Whenever it is implemented then it is recommended it includes a Recordable Report profile of at least B.

PMC4 - Recording of workstation, server or device status

Control Description: The objective of this control is to detect changes to device status and configuration. Changes might occur through accidental or deliberate acts by a user or by subversion of a device by malware (for example, installation of trojan software or so called "rootkits"). It also records indications that are typical of the behaviour of such events (including unexpected and repeated system restarts or addition of unidentified system processes).

It also attempts to detect other unauthorised actions in tightly controlled environments (for example, attachment of USB storage devices). This includes extension to extensive monitoring of any business critical file areas.

PMC5 - Recording relating to suspicious internal network activity

Control Description: The objective of this control is to monitor critical internal boundaries and resources within internal networks to detect suspicious activity that might indicate attacks either by internal users or by external attackers who have penetrated to the internal network.

Likely targets for heightened internal monitoring include:
  • core electronic messaging infrastructure (e.g. email servers and directory servers)
  • sensitive databases (e.g. HR databases, finance, procurement or contracts and so on.)
  • information exchanges with third parties
  • project servers and file stores with strict "need to know" requirements

PMC6 - Recording relating to network connections

Control Description: The objective of this control is to monitor temporary connections to the network either made by remote access, virtual private networking, wireless or any other transient means of network connection.

This includes:
  • Environments which are permissive and that support Wireless LANs (WLANs), mobile users and remote working and it includes.
  • More restrictive environments in which the attachment of modems and wireless access points are prohibited.

PMC7 - Recording of session activity by user and workstation

Control Description: To monitor user activity and access to ensure they can be made accountable for their actions and to detect unauthorised activity and access that is either suspicious or is in violation of security policy requirements.

This is intended to support accountability requirements such that users can be held to account for actions they perform on ICT systems.

PMC8 - Recording of data backup status

Control Description: To provide a means by which previous known working states of information assets can be identified and recovered from in the event that either their integrity or availability is compromised.

Providing an audit trail of backup and recovery operations is an essential part of the backup process and enables identification of the most reliable source of the prior known good states of the information assets to be recovered in the event of data corruption, deletion or loss.

The need for more sophisticated backup and recovery facilities are generally driven by higher levels of risk to Integrity and Availability properties.

There is a complimentary requirement for online storage failure events to be alerted, this is met by PMC4 Recordable Event 1 (the detection of any server storage failure should be classed as an alertable Critical event).

PMC9 - Alerting critical events

Control Description: To allow critical classes of events to be notified in as close to real-time as is achievable.

The aware level requirement is for console based alerts that can be watched for by duty Security Managers.

It would be expected that extensive projects (with continuous monitoring requirement) would require a Security Operations Centre with summary wall displays (with the most complex scenario implementing redundant monitoring centres).

It should be noted that alerts themselves are recordable events.

Smaller projects can have a solution to fit their size and would typically only require a profile A solution with simple monitoring facilities (a Security Manager workstation). Smaller projects might also consider combination of functions (for example, security and network management) provided this does not conflict with segregation requirements.

Secondary alerting channels might also be supported for projects that cannot provide continuous console manning (for example, SNMP, email, SMS, and so on) through either in hours or out of hours services.

PMC10 - Reporting on the status of the audit system

Control Description: To support means by which the integrity status of the collected accounting data can be verified.

The Aware segment requirements comprise the need to inspect log status on end devices and alerting of log error or other security relevant conditions.

Upper segment requirements expand to include the requirement for log collection and query systems (ultimately served as a resilient solution).

Smaller (especially single location) projects can have a solution to fit their size and would typically only require a profile level A solution without log collection facilities (perhaps assisted by COTS log analysis tools).

PMC11 - Production of sanitised and statistical management reports

Control Description: To provide management feedback on the performance of the protective monitoring system in regard of audit, detection and investigation of information security incidents.

PMC12 - Providing a legal framework for Protective Monitoring activities

Control Description: To ensure that all monitoring and interception of communications is conducted lawfully and that accounting data collected by the system is treated as a sensitive information asset in its own right.

The most significant aspect of ensuring Protective Monitoring is lawful is ensuring that it is justified. A major part of the evidence for that justification is that the risk management process ensures there is neither too much nor too little.

There are certain aspects of user consent that must be recorded as part of the system implementation. As for the other treatments the degree of rigour and trust in these increased along the scale of increasing segment. It is important to seek legal advice on compliance with the law and wording of all related screen messages and documents. Online electronic sign up might also be supplemented, or alternatively replaced, by manual records of user agreements and monitoring policies.