Technical Brief: QualysGuard Policy Compliance 3.

page 5

QualysGuard allows users to submit authentication credentials in the web appli cation where they are securely stored to perform compliance scanning. Authenticated scanning on Windows, SQL Server, Oracle, Unix (SSH/TELNET), and Cisco IOS (SSH/TELNET) augments the information gathered from operating systems and applications, which is necessary for measuring compliance against internal and external policies. More than a vulnerability scan, the compliance scan allows customers to interrogate hosts, collecting all available data about operating system configuration, host application inventories, current patch levels and other system information. Additionally, QualysGuard Policy Compliance 3.0 allows customers to schedule compliance scans to support a continuous auditing approach. All policy creation, editing, as well as scheduling scans, compliance monitoring, reporting and exceptions management is done securely using a browser-based application, with the controls library itself hosted and maintained by Qualys. Users are able to create and edit policies and add them to their policy library. Reports are available in the QualysGuard Report Share where they can be run after compliance scans are completed, and users are automatically notified when reports are ready for download. In summary, QualysGuard Policy Compliance 3.0 combines the regulatory-specific and task-specific features of point solutions with the convenience, consistency and efficiency of a centralized solution with no software to install or maintain. It lets customers:

g and report on exceptions to policies by control, and/or r -56n o host with a closed-loop u approval process. p , a s s e t o w n e r a n d i n d i v i d u a l h o s t . C r e a t e , t r a c k

Create, edit and manage policies, drawing upon a large store of

-56n
pre-built controls. QualysGuard Controls Library is based on CIS Benchmarks. Organize controls together into complete compliance policies for

-56n
Sarbanes-Oxley 404, HIPAA, GLBA, Basel II, local regulations, internal policies and other areas of compliance. Provides support for compliance frameworks such as CIS, CobIT, ISO

-56n
and NIST. Reuse controls across different compliance policies, as appropriate, to

-56n
save effort, ensure consistency and simplify compliance management. Query host configuration data against the policy controls and expected

-56n
results to determine and document compliance levels. Monitor compliance levels across the enterprise by business unit, asset

-56n

d evidence that the organization can discover and fix policy compliance lapses. An effective Au vulnerability management and dit or compliance program can make an s organization more efficient in wa reducing the risk of internal and nt external threats, while, at the same to se time, provide proof of compliance e: demanded by auditors. pol ici Mark Nicolett, Vice President es Gartner, Inc. th at de scr ibe ho w an or ga niz ati on wil l pr ovi de se cu rity an d int eg rity ; pr oo f th at th e pol ici es ha ve be en op er atio nal ize d; an

Technical Brief: QualysGuard Policy Compliance 3.0

page 6

QualysGuard Policy Compliance: Workflow

QualysGuard Policy Compliance 3.0 provides automated compliance scanning and policy reporting for frameworks and regulations through the following workflow:

Figure 2: Policy Compliance Workflow

Author Policies from QualysGuard Controls Library. Default policies are available for users to import and customize to their auditing needs. Assign policies to assets and save to the QualysGuard Policy Manager. Run compliance scans on hosts via authenticated credentials to collect data points from hosts. Compliance scan results are stored encrypted within the QualysGuard account. Compliance scan results are stored encrypted within the QualysGuard account. Generate Compliance reports to review results, fix configuration issues and document compliance.

2 3

4 5

Create and manage exceptions. Auditors can approve exceptions and review compliance reports.

This workflow allows compliance professionals to define policies that describe how an organization will provide security and integrity; provide proof that the policies have been operationalized; and give evidence that the organization can discover and fix policy compliance lapses.

Technical Brief: QualysGuard Policy Compliance 3.0

page 7

QualysGuard Policy Compliance: Features

QualysGuard Policy Compliance 3.0 delivers the core capabilities for security managers and auditors to integrate compliance into existing IT and vulnerability management processes, and contains the following capabilities:

1. CONTROLS LIBRARY
n

The Controls Library is a centralized location with technical controls pertaining to operating systems and applications and enables an efficient write once and reuse approach to policy management and reporting on a wide variety of compliance activities. All QualysGuard controls are derived from the CIS benchmarks and expanded to address additional configuration settings.

Figure 3: Controls Library

All controls are classified by Operating System or Application, as well as category (i.e. password, permissions, configurations, anti-virus, Malware, etc.). Controls, as appropriate, are classified by compliance framework (CIS, COBIT 4.0, ISO 17799 and NIST SP800-53) and/or regulatory compliance (FFIEC, HIPAA and NERC CIP). These classifications include references to specific sections of the framework or regulation. The current technologies supported are Windows XP, 2000 Server, 2003 Server, Vista, 2008 Server, and 7, Active Directory 2000, 2003, and 2008, AIX 5.x and 6.x, HPUX 11i.v1, v2, and v3, Solaris 8, 9, and 10, RedHat Enterprise Linux 3.x, 4.x, and 5.x, CentOS 4.x and 5.x, Oracle Enterprise Linux 4 and 5, SUSE Linux Enterprise 9.x and 10.x, Oracle 9i, 10g, and 11g, SQL Server 2000, 2005, and 2008, and Cisco IOS 12.x and 15.x.
Mapping to compliance frameworks & standards is automatically provided for each control Rationale for each supported technology Control Statement and Category

Figure 4: Controls Classification

Thank you for evaluating AnyBizSoft PDF Converter.

You can only convert 3 pages with the trial version.

To get all the pages converted, you need to purchase the software from:

http://www.anypdftools.com/buy/buy-pdf-converter.html