On the top of CIS, Qualys provides best practices policies based on vendor's suggested best practices, industry practices and some research. Currently, policies in the library are used for assessment purpose as they are. As we increase the content (number of controls) for each SaaS, we also offer to combine some of the controls from CIS, or best practices polices or vendor policies.
Some policies which are provided out of the box, are filtered under 'System-defined' category. The user-defined policies (aka custom policies) are filtered under 'User-defined' category. System-defined policies are shown as locked, indicating that these policies cannot be changed.
You can either create a new policy or you can edit an existing policy.
Note: This feature is only available for users that have trial or full subscription of the application and not for the users with free subscription.
1) On the Policy Tab, click Create New.
2) On the Create New: Policy page:
- Enter Name and Description in the given fields.
- From the SaaS drop-down menu, select a SaaS application.
- Click the Click to select the controls option. From the list of available controls, select the controls you want to include in this policy. You can use the search bar to search for specific controls.
The search field allows searching of controls by IDs or text, or criticality, system defined policies.
3) Click Create.
The newly created policies are listed under the Policy Tab.