Create a policy to check compliance of your systems against the policy and the controls it contains.
Policy Compliance (PC) app only
Go to PC > Policies and choose New > Policy. You'll have these options: 1) start with an empty policy and build it from scratch, 2) create a policy based on scan data from an existing host, 3) import a policy from our Library or 4) import a policy from an XML file. We'll walk you through the steps.
Go to SCA > Policies and choose New > Import CIS Policy. We'll walk you through the steps. Keep in mind SCA lets you import and edit CIS policies only, custom policies are not supported.
You'll need to tell us the hosts you want to test for compliance with each policy. You can do this by adding asset groups to the policy (all hosts in the group will be included) or by adding asset tags (hosts that match any of the tags will be included). Do you have PC Agent? You'll also see the option to include all hosts in your PC Agent license.
Controls are the building blocks of a compliance policy. Each control pertains to one or more operating systems and/or applications, referred to as technologies.
Using the policy editor drill-down into a policy section, and then double-click on any control (or click Edit) to see control details. From here you can change the control value for any technology, add/remove technologies for the control, and add an external reference number.
In the control details you have the option to run a quick test to see whether the control will pass or fail for a scanned host in your account. Click the Test Control button, enter an IP address and click Evaluate. You'll see evaluation data based on the last scan of the host and the actual value on the host is returned. This allows you to modify the control value if needed before saving the policy.
Control values may include fixed value check boxes, integers, regular expressions/strings, Windows permissions, Unix permissions, and special compliance check status codes. (A compliance check is also referred to as a data point). The control definitions determine the types of control values and how they appear in your controls. Learn more
Last updated (Last scan date): This is the date of the latest scan when data for the control was collected. So, every time data is collected for control, this value is updated. You should also consider the type of scan launched:
- Full Scan: Collects all the applicable data based on the technologies identified on the target. The "Last updated" value for controls in reports will reflect the latest scan date.
- Scan by Policy: Collects data for only those controls specified in the policies used to restrict the scan. Hence, the "Last updated" value in reports will reflect this latest scan date only for these controls. Controls in a policy may show different "Last updated" values if the subset of the controls is a part other policy which is also specified in the "Scan by Policy" setting of other option-profile used for running scans.
Evaluation date: This is the date a control gets evaluated. Control evaluation happens as a part of policy evaluation. Hence, this value will be lower (or same) to the "Policy last evaluated" date. Typically, policy evaluation is triggered right after scan data is collected. However, sometimes due to processing overload there could be some delay. Also, if there is no change in the scan data (all the collected scan data for controls is the same) for a target in successive scans, none of the associated policy gets evaluated. As a result, this value remains unchanged for the controls. However, we do update the value of "Policy last evaluated".
Policy last evaluated: This is the date when policy evaluation is complete. This value gets updated every time policy evaluation is triggered for a host. If multiple targets are scanned, this value will be updated each time a policy evaluation occurs for a target. Thus, this value will always be higher (or same) than the individual "Evaluation date" for the controls in the report. This date is updated even if there is no change in data collected for controls in successive scans.
Drill-down into a section from the home page, and click the Add Controls button to search for and add controls to the section. Note that you can only select controls that have not already been added to the policy, and the controls must be applicable to the global technologies list set for the policy.
Yes. Save time by copying controls and their settings from another policy. Just drill-down to a section of your policy, click Copy Controls, and select the policy you want to copy controls from. Then pick the controls you're interested in. We'll add the controls and copy their settings.
A few notes:
- When you copy a File Integrity or Directory Integrity control from another policy, we will not copy the actual hash value for the control. Instead you will see the control value as AUTO_UPDATED.
- You cannot copy deprecated controls.
When you add a new technology to your policy, you can copy control settings from another technology in the same policy, another policy in your account or a policy in the Library. For example, let's say you're adding Windows 10 to your policy and you choose to copy settings from another technology like Windows 8. We will apply settings from all applicable Windows 8 controls to Windows 10 controls.
You can add a reference to any control by either clicking the Add Ref # link from the list of controls or clicking Edit next to Reference # in the Control Details. The text you enter will appear in your policy reports under Control References. Note that Managers and Auditors can still add references (documents, URLs and text) by editing a control from the controls data list (go to PC > Policies > Controls).
From the controls list, you can reorder controls using these methods: 1) Click the Reorder button and then type over any control number. This is an easy way to move controls from one section to another, for example change control 2.1 to 1.1 to move it from section 2 to section 1. 2) Simply drag and drop a control to a new position in the list. Click the far left edge of the control row to move it.
You'll see the locked control icon for controls that are locked by our service. Locked controls cannot be edited within a policy.