Chapter 3. Architecting a Security Compliance Management solution
3.3 Business processes and compliance management
3.3.2 Security Compliance Manager business process support
This section looks at the Security Compliance Manager components supporting the activities related to business processes.
Apply security policy
It is a key task for any security compliance management process to integrate, apply, and maintain a company's security policy. Security policies are living documents that are adapted continuously to a changing environment. Security Compliance Manager’s design concept reflects the need for a security
compliance management solution that is easy to maintain and flexible to react to policy changes without delay. Security Compliance Manager separates the security compliance management process into data collection, which is
to the security policy consists of simple modifications of the compliance objects that do not require touching the Security Compliance Manager clients. Security Compliance Manager also supports enterprise security policy changes that require modification of the Java data collectors or even the development of new collectors. Once the new collectors are installed in the Security Compliance Manager server, the server starts to distribute the new collectors to the Security Compliance Manager clients automatically. Within a few hours, a new policy is activated.
Applying the enterprise security policy with Security Compliance Manager consists of two steps: developing Java data collectors and defining security compliance objects. Security Compliance Manager supports both activities:
Security Compliance Manager provides a comprehensive set of Java data collectors for all supported platforms. The data collectors gather enough security relevant data to implement a solid security policy. In most cases, there is no need to develop additional Java data collectors. If required, the Security Compliance Manager Java Development Kit allows you to implement additional data collectors. In 6.2.3, “Collector development” on page 151, we describe how to develop new data collectors.
The Security Compliance Manager administration console supports the development of policies and security compliance objects. In “Policy development” on page 34, we demonstrate how to create a policy and describe the development environment provided by Security Compliance Manager administration console.
Check control settings and compare to security policy
Comparing the actual configuration settings on computer systems with the required settings defined in the security standards is a very important task in the security compliance management process. Usually, the security auditor has to log in to the system, run multiple applications to obtain the actual settings, and compare the result manually with the standard. Even if supported by
semi-automated security compliance management tools, this can be an annoying and time consuming task resulting in security compliance check frequencies like once or twice a year.
Security Compliance Manager allows you to fully automate the task of gathering security data and comparing it to settings defined in the security standards. Automation allows you to implement daily security compliance checks of all systems without additional effort, providing additional security in the IT
environment. In 2.1.1, “Data collection components” on page 13, we describe the data collection part, and in “Snapshot creation” on page 45, we demonstrate how snapshots perform data evaluation in more detail.
Security Compliance Manager goes even a step further and supports detection of configuration changes. If enabled,
delta monitoring
monitors changes to the configuration data. Each time the collector instance collects data and sends it to the server, the server compares the newly received data with the data stored in the collector table. If the data has changed, the new data is appended to the delta table and then the collector table itself is updated.Document security compliance management
The security compliance management process requires documenting that compliance checks are performed regularly, within the required intervals, and that they are complete. (Complete means that all security control settings on all systems are actually checked.) Some environments even require archiving the data used for the security compliance management process and not only the result of the compliance check. Security Compliance Manager supports the documentation task as follows:
Operational reports
The
Client Violations
operational report documents that compliance checks are performed by listing Security Compliance Manager clients, their status, and the security audit findings. Figure 3-10 on page 74 shows an example report of typeClient Violations
. The reportSnapshot Creation Completion
displays the times that each snapshot associated with the policies were created. This report proves that compliance checks were performed completely.Figure 3-10 Security Compliance Manager operational report: Client Violations
Checking the completeness of a report
A snapshot can successfully run but return incomplete or inaccurate results for any of the following reasons:
– The collectors associated with the policy have not yet run on all of the clients.
– The collected data has not yet been added to the database tables.
– The snapshot was erroneously restricted to a client group that did not have the policy added.
The results of a snapshot are only as complete as the data contained in the database tables. If there is no data for the compliance queries to check, there are no violations to report. In order to verify the completeness of a report Security Compliance Manager provides the following options:
– Operational report
The
Collector Run Information
report displays information about previous runs of the collectors, for example, information about the client, the collector instance, and the time of the run.– The following code snippet shows a compliance query that can be used to generate a violation for each client that did not report data for one or more collector instances. The string $currentsnapshotid is replaced with the ID of the snapshot when the compliance query is run as part of a snapshot. This snapshot ID can be used to index the
JAC_SYS.SNA_CLI_TAB_METADATA table, which contains a list of the tables returned by the clients that are part of the snapshot.
Select a.cli_id,
’No data from client with IP address of ’ ||
b.primary_ip as IP_ADDR from jac_sys.sna_cli_tab_metadata a inner join jac_sys.clients b on a.cli_id = b.cli_id
where sna_id=$currentsnapshotid and logdate is null
Delta monitoring
By default, the Security Compliance Manager database contains only the most recent data collected by a Java data collector. If activated, delta monitoring monitors changes to the data that is returned by a collector instance. Each time the collector collects data and sends it to the server, the server compares the newly received data with the data stored in the
database. If the data has changed, the new data is appended to the delta table and then the collector table itself is updated. The delta table allows you to prove the actual setting of a security control and not only the result of the compliance check.
Address deviations and correct settings
Usually, the security auditor informs the computer system owners about security findings and provides information about deviations and required corrective settings. Security Compliance Manager supports this task with the following options:
Operational reports via Web access
Operational reports that list audit issues can be provided as HTML reports using a Web interface.
Operational reports as files
Operational reports can be provided as Crystal Reports, Adobe Acrobat files, Microsoft Excel® files, and Microsoft Word files.
Security Compliance Manager snapshot reports
Snapshot reports can be accessed using the administration console. The user access model of Security Compliance Manager allows system owners to access their systems and create and view snapshot reports. Additionally, the reports can be exported as HTML files and handed over to the system owners using mail or workflow systems. The reports can be sent on an assigned schedule to specified e-mail addresses.
Security Compliance Manager reports
Reports are formal database queries for ongoing system verification and analysis. A report is used to send the results of an SQL query to one or more users. Reports can be grouped by client group, or by any other logical grouping, such as department or physical location. The report is sent on the assigned schedule to the specified e-mail addresses.
Report compliance status
Security compliance status reports for management and external audit purposes should be based on Security Compliance Manager operational reports. Security Compliance Manager offers a comprehensive set of reports for this purpose. The following reports are provided:
Administrative Activity
Displays a history of the administration activities that were performed by users.
Changes to Roles and Permissions
Displays a history of changes to the definitions for roles and permissions.
Client Group Membership
Displays information about client groups and their members.
Client Violations
Displays the policies and their latest snapshots. This report includes the details for all the violations associated with a client.
Collector Run Information
Displays information about previous runs of collectors.
Compliant and Non-compliant Systems
Displays the systems that are compliant with the defined security policy as well as systems that are not in compliance.
Policy Import Time
Displays the names and descriptions of all the policies that have been imported.
Policy Violations Trends
Displays the violation information associated with all the policies.
Roles and Permissions Information
Displays information about the roles and permissions that are assigned to users.
Snapshot Creation Completion
Displays the times that each snapshot associated with the policies were created. There are no parameters associated with this report.
User Group Membership
Displays information about user groups and their members.
Managing compliance exceptions
Security standards may define security control settings that affect the functionality of an IT system. Often, there are no quick solutions to make the system compliant. System administrators who come across such a security setting will have to ask for a temporary risk acceptance until a more sophisticated solution is available. Security Compliance Manager supports this procedure by providing suppressions. A suppression is used to temporarily exempt one or more conditions from causing a violation to be reported. This condition can be based on the client, the client group, the compliance object, the violation message, or any combination of those conditions. Additional SQL statements can be added to any suppression in order to implement fine grained conditions. In “Definition of suppressions” on page 46, we provide an example of a
suppression and describe how to define it.