1.2 Auditing and Evaluation Process Workflow

Secure Configuration Manager simplifies and automates the process for demonstrating compliance and managing information security risk. Policy compliance is the assessment, operation, and control of systems and resources according to security standards, best practices, and regulatory requirements. Complex environments, industry standards, and government regulations can make compliance with so many policies a challenge, even for highly-experienced security teams. In most organizations, a variety of individuals perform the complex tasks required to maintain asset compliance.

The following workflow shows how you can streamline the asset auditing and evaluation processes by workflow tasks.

Use the following checklist to guide you through the auditing and evaluation process.

 

Checklist Items

  1. Identify the IT assets that you want to monitor, and then add them to the Secure Configuration Manager asset map. See Section 2.2, Building and Managing Your Asset Map.

  1. Organize your assets into logical groups. For more information, see Section 2.3, Working with Managed Groups.

  1. Specify the value of each asset to your organization. For more information, see Section 2.5.2, Assigning Importance to Endpoints.

  1. Identify the corporate policies and technical standards that affect your IT assets.

  1. Map your policies and standards to the policy templates built into Secure Configuration Manager. For more information, see Section 4.2, Understanding Policy Templates.

  1. (Conditional) If the built-in policy templates do not specifically map to your corporate policies and standards, modify the built-in templates or create new ones. For more information, see Section 6.6.3, Modifying Built-in Policy Templates or Section 6.6.2, Translating a Technical Standard to a Policy Template.

  1. Run the policy templates to begin the auditing process. For more information, see Section 4.3, Running Security Checks and Policy Templates.

  1. Review policy template results to evaluate asset compliance. For more information, see Section 5.0, Evaluating Audit Results.

  1. Correct the configuration problems found in the report results.

  1. (Optional) To adjust how Secure Configuration Manager scores asset results, modify the asset’s importance or adjust the threat factor and risk ranges for the security checks in the policy template. For more information, see Section 2.5.2, Assigning Importance to Endpoints and Section 6.3, Understanding Risk Scoring.

  1. (Optional) To use a specific asset as a standard from which to compare other assets, establish a baseline or run delta reports. For more information, see Section 7.0, Working with Baselines or Section 5.3, Comparing Report Results.

  1. (Optional) To exclude some assets or results from policy template runs, create exceptions. For more information, see Section 5.2, Excluding Data from Report Results.

  1. Regularly audit assets with the selected policy templates. For more information, see Section 4.3.2, Scheduling a Policy Template Run.

  1. (Optional) To regularly compare policy template results, schedule delta reports. For more information, see Section 5.3.4, Scheduling a Delta Report.

  1. Regularly update your policy templates as corporate and regulatory standards change. For more information, see Section 8.0, Maintaining Your Security Knowledge.