What is CESG Good Practice Guides (GPG)? - Definition from WhatIs.com


CESG Good Practice Guides (GPG)

Good Practice Guides (GPG) are documents created by the CESG to help organisations manage risk effectively. CESG is the UK government's national technical authority for information assurance (IA).

CESG Good Practice Guides (GPGs) are supplemented by CESG Developers’ Notes, Cryptographic Standards and Implementation Manuals. Guides may be accessed only by suppliers working with a government department that sponsors the supplier to access one or more of the guides. 

The GPGs were originally written as a set of 35 guides. Some are no longer available because they have become obsolete. Others, which address currently critical topics, are offered on the CESG website.

Some of the Good Practice Guides that have received recent attention are:

  • GPG number 6, which provides guidance on managing the risks of offshoring.
  • GPG number 13, which describes a framework for addressing risks to government systems and includes protective monitoring controls for collecting information and communications technology (ICT) log information and configuring ICT logs in order to produce an audit trail.
  • GPG number 8, which focuses on protecting external connections to the Internet. 
  • GPG number 10, which addresses the risks of remote working.
  • GPG number 12, which provides guidance on managing the security risks of virtualisation for data separation.
  • GPG number 13 forms part of the Code of Connection (CoCo), a prescriptive technical standard that public-sector organizations must meet in order to gain access to the UK Government Connect Secure Extranet.
  • GPG number 18, which describes principles for security forensics.

Contributor(s): Tracey Caldwell
This was last updated in May 2012
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.co.uk-related news, tips and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

More News and Tutorials

  • Consider a compliance-driven security framework

    Midmarket companies bound to regulations such as PCI DSS, HIPAA and Sarbanes-Oxley should consider using these requirements as the basis for their security programs.

  • Q&A: Google to defend cloud computing security

    Cloud computing is changing the way we do business; the scalability, flexibility and cost savings are seductive, even irresistible. But, as with every "next big thing" in technology, security is a potential stumbling point. The distributed computing that makes the cloud model possible makes it difficult, perhaps impossible, for customers to implement and enforce the kind of controls they would normally exercise with service providers.

    Moreover, regulatory compliance can become an issue, as the very nature of cloud computing can impede on traditional controls and audit inspection. Google is one of the leaders in the young cloud computing market, and is trying to make a strong case for its security program. In this interview, Eran Feigenbaum, director of security for Google Apps, describes the security strengths and some of the limitations of cloud computing, and how Google works to ensure data security and privacy. Here are some excerpts.

    Feigenbaum will attend the 2009 RSA Conference in San Francisco, California and participate in a panel discussion titled: "Cloud computing – secure enough for primetime today?"

  • Standards and guidelines for system hardening

    When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com