Managing compliance

BMC Client Management provides you with two different ways to make sure your IT environment is compliant with all necessary rules and regulations:

• Custom Compliance
• SCAP Compliance

This BMC Client Management video (6 mins 35 seconds) describes how to create a custom compliance rule, assign the rule to a device and evaluate its compliance, analyze the compliance rule results, generate compliance reports, and create and modify the compliance dashboard. 

 https://youtu.be/3KKJJifHPmc

Custom Compliance

Custom compliance in CM allows to evaluate the current situation of the network population about their compliance. The agent collects information about the devices via which it then defines if a device is compliant with company policies and regulations or not. If not, it can restrict its accesses and operations.

The calculation of compliance in BMC Client Management - Compliance Management is based on a number of specifically defined criteria. The values for these are located in the different inventories available in the console and the database. This information is collected by the agent via operational rules that are executed on the devices in your network and then uploaded to the master database. After the information is available, the compliance rules can calculate the compliance of a device about specific aspects of its configuration.

SCAP Compliance

The Security Content Automation Protocol (SCAP) is a specification established by the National Institution of Standards and Technology (NIST). In general, it was established to express and manipulate security data in standardized and automated ways and therefore contains elements of vulnerability, asset and configuration management. More precisely, SCAP enumerates product names, software flaws and configuration issues, identifies the presence of vulnerabilities and assigns severity scores to vulnerabilities. By that, SCAP makes it easier for organizations to automate ongoing security monitoring, vulnerability management and the reporting of the security policy evaluation.

SCAP 1.2 consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. It is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

The SCAP components were created and are maintained by several entities, including the MITRE Corporation, the National Security Agency and the Forum of Incident Response and Security Teams (FIRST). As a result, the SCAP components are individually maintained specifications which standardize the security information we communicate (content) and how we communicate and use security information (tools/content processing). SCAP also comprises standardized referenced data, for example the National Vulnerability Database (NVD) of the US government.

The following topics are provided.

• Compliance Rules for Compliance Management
• Getting started with custom compliance
• Evaluating your Environment for Compliance with a Basic Rule
• Assigning the compliance rule to a device group and evaluating its members
• Creating a Device Group of Non-compliant Devices
• Reporting compliance
• Managing compliance dashboards
• Dynamic Groups in Compliance Management
• Overview of SCAP compliance
• Managing SCAP Jobs
• Scap job wizard
• SCAP Implementation Statement
• Overview of Compliance management
• Assigning compliance rules to device groups -- O