Guidance

Security monitoring: introduction

Published 22 June 2015

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/security-operations-and-management-0

© Crown copyright 2015

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/security-operations-and-management/security-monitoring-introduction

1. Key messages for CEOs and boards

Security monitoring if done well is not a trivial activity. If security monitoring is implemented across the whole organisation’s ICT estate, a senior business champion and a well-defined business case are both essential. Ensure you:

  • put into place the resources necessary to effectively support security monitoring
  • maintain visibility of operation and an interest in its management reporting

It is vital to ensure that security monitoring is carried out at a level appropriate for the business. This means understanding the risks to business information and the level of control the organisation wishes to apply when managing those risks. In simple terms ‘know what you’re collecting and why you’re collecting it’.

Organisations must understand that:

  • monitoring and collection is of particular value when ongoing analysis is performed, as this provides the key to incident identification and the ability to take action when appropriate
  • monitoring and collection without analysis (that is, when organisations simply collect and store data), may provide benefit during retrospective analysis as part of incident investigations
  • no technology or service provider can provide a ‘fit and forget’ capability that delivers flawless protection and requires no administration on the part of the organisation

2. Benefits of security monitoring

Security monitoring is a critical set of business processes. It provides the collection of security data from disparate security products, networks, and platforms, and correlates this with threat intelligence and business logic. This allows organisations to identify cyber attacks, fraud, and system or service misuse.

Critically, security monitoring can also:

  • help demonstrate compliance with policy, legislation and regulatory requirements
  • ensure the use of information and communication technologies (ICT) systems is consistent with business requirements
  • shape network defensive mechanisms to try and prevent attacks
  • provide early warning of ICT intrusions
  • provide information on the effectiveness of security controls to drive continuous improvement

System monitoring must be undertaken lawfully. Any information collected is an information asset in its own right, and needs appropriate protection and management. Read the ICO’s guidance, and be aware of laws relating to business data, in particular:

  • the Data Protection Act (DPA), which states employers must take measures against unauthorised or unlawful processing of personal data
  • the Employment Practices Code, which states that employees are entitled to a degree of privacy in the work environment

In addition, understand your organisation’s obligations under the following acts:

  • Regulation of Investigatory Powers Act (2000) (RIPA), the statute on interception in the UK. Specifically, ‘Lawful Business Practice Regulations (LBPR)’, a statutory instrument made under RIPA that authorises the interception of business communications (including those of HMG) for prescribed purposes. The instrument’s full name is ‘Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations’.
  • Computer Misuse Act (1990) (CMA), the statute that makes it a criminal offence to cause a computer to perform a function with intent to secure unauthorised access to a program (or data held on it). Additionally, the CMA makes it an offence to do this with intent (or recklessness as) to impair the operation of the computer or to prevent/hinder access to it. This is often referred to informally as ‘interference with a computer’.
  • Freedom of Information Act 2000 (FOIA), an act that provides a right of access to information held by public authorities. The FOIA requires a public authority to provide information that it holds to anyone that requests it, unless exemptions apply.  
Back to top