7. Policy Compliance proces
Create Users
Add Hosts to
subscription
Create
compliance
Asset Groups
Scan Hosts
Create
QualysGuard
Policy
Generate
Policy Reports
Request
Exceptions
• Nejsložitější stěžejní bod – vytváření politik
• Je možné upravovat politiku dodatečně!
8. Compliance Hierarchy
a “Top - Down” Approach
Simple Compliance Framework
Procedures and Guidelines
Detail
Policies,
Standards,
Business
Requirements
Controls
(Manual
/Auto)
Procedures
and
Guidelines
Enforcement
Regulations
Frameworks
SOX
HIPAA
GLBA
CobiT
COSO
ISO17799
PCI
NIST
NERC
“Example: Vulnerable
Processes must be
eliminated..”
CID 1130
The telnet
daemon shall
be disabled
AIX 5.x Technology Telnet
streams are transmitted in
clear text, including usernames
and passwords. The entire
session is susceptible to
interception by Threat Agents.
Framework
Level
Detailed
Technical
15. QualysGuard Policy Compliance
Reports
View all results,
exceptions,
audit trails
Full Policy
Report
View where you
are successfully
authenticating
Authentication
Report
Exceptions
process for all
Failing Controls
Interactive
Reports
16. QualysGuard Policy Compliance
Policy Reports
The Report Summary
• Pass/Fail Summary - shows passed and failed control
instances
• Pass/Fail and Exceptions Summary - passed and failed
control instances with pending exceptions and passed with
exception status.
18. QualysGuard Policy Compliance
Policy Reports
• Policy Report
includes compliance
status with a
specific policy
• The report lists the
hosts assigned to
the policy with the
controls tested
• Results are shown
as a passed/failed
status