1.3 Auditing and Evaluation Process Workflow

Secure Configuration Manager simplifies and automates the process for demonstrating compliance and managing information security risk. Policy compliance is the assessment, operation, and control of systems and resources according to security standards, best practices, and regulatory requirements. Complex environments, industry standards, and government regulations can make compliance with so many policies a challenge, even for highly-experienced security teams. In most organizations, a variety of individuals perform the complex tasks required to maintain asset compliance.

The following workflow shows how you can streamline the asset auditing and evaluation processes by workflow tasks.

Use the following checklist to guide you through the auditing and evaluation process.

 

Checklist Items

  1. Identify the IT assets that you want to monitor, and then add them to the Secure Configuration Manager asset map. See Understanding Managed and Unmanaged Assets.

  1. Discover assets and endpoints in your environment. For more information, see Discovering Unmanaged Assets in Your Environment.

  1. Organize your assets into logical groups. For more information, see Organizing Endpoints into Groups.

  1. Specify the value of each asset to your organization. For more information, see Assigning Importance to Endpoints.

  1. Identify the corporate policies and technical standards that affect your IT assets.

  1. Map your policies and standards to the policy templates built into Secure Configuration Manager. For more information, see Understanding Policy Templates.

  1. (Conditional) If the built-in policy templates do not specifically map to your corporate policies and standards, modify the built-in templates or create new ones. For more information, see Modifying Built-in Policy Templates or Translating a Technical Standard to a Policy Template.

  1. Run the policy templates to begin the assessment process. For more information, see Running Security Checks.

  1. Review policy template results to evaluate asset compliance. For more information, see Section III, Identifying Security Risks in Your Environment.

  1. Correct the configuration problems found in the report results.

  1. (Optional) To adjust how Secure Configuration Manager scores asset results, modify the asset’s importance or adjust the threat factor and risk ranges for the security checks in the policy template. For more information, see Assigning Importance to Endpoints and Understanding Risk Scoring.

  1. (Optional) To create a baseline using an asset which meets specific criteria and use that baseline as a standard for that particular asset, or run delta reports. For more information, see Section B.0, Working with Baselines or Section 10.0, Comparing Results of Assessments.

  1. (Optional) To exclude some assets or results from policy template runs, create exceptions. For more information, see Excluding Data from Report Results.

  1. Regularly audit assets with the selected policy templates. For more information, see Section 6.0, Configuring Assessment Options.

  1. (Optional) To regularly compare policy template results, schedule delta reports. For more information, see Scheduling a Delta Report.

  1. Regularly update your policy templates as corporate and regulatory standards change. For more information, see Section 19.0, Maintaining Your Security Knowledge.