Overview of Compliance Content add-ons
Technical and operational standards exist to protect sensitive data held in the data center. To achieve accreditation, the data center must prove compliance with existing standards. TrueSight Server Automation Compliance Content libraries provide you with add-on content for TrueSight Server Automation, containing rule sets to automatically analyze compliance for every server in the data center. These sets of rules are based on the following standards and policies:
- Health Insurance Portability and Accountability Act (HIPAA)
- Defense Information Systems Agency--Security Technical Implementation Guides (DISA STIG)
- Sarbanes-Oxley (SOX) Act
- Payment Card Industry (PCI) Data Security Standard (DSS) requirements developed by the PCI Security Standards Council
- Center for Internet Security (CIS) benchmarks
Results from analyses performed based on Compliance Content component templates can be used both to document the current situation and as a basis for bringing non-compliant servers into full compliance with the standard. Using TrueSight Server Automation Compliance Content, you can
- Discover relevant target servers and analyze those servers for compliance with major regulatory standards and best-practice policies
- Remediate compliance failures that were discovered by deploying BLPackages
- Generate reports with summaries of compliance details, similar to policy audit sheets
For more information about using Compliance Content add-ons to analyze and remediate compliance with standard policies, see Compliance Content analysis and remediation.
The pre-defined component templates provided in TrueSight Server Automation Compliance Content libraries reflect a generic interpretation of the compliance standards, and cannot take into account the specific situation within your organization. Therefore, certification cannot be assumed and is not implied based solely on successfully complying with the rules within these templates. Additional measures, such as manual compliance checks, may be required to achieve certification.
The Payment Card Industry (PCI) Data Security Standard templates are provided in a separate group of templates for each version of PCI — PCI version 1, PCI version 2, and PCI version 3.
BMC Regulatory Compliance Templates (Policies) provided by BMC comes with remediation actions for many of the standard checks where rule check fails and corrective action may be necessary to get servers to desired state. It is recommended by BMC for customers to carefully review all the shipped remediation actions. BMC supplies Auto remediation flag and by default is set to false to ensure no changes on the managed servers are performed when certain compliance rules check fail. If auto remediation flag is set to true then BSA as part of remediation package deploy job will make changes to servers. It is the responsibility of customer to ensure and control remediation actions including auto remediation actions performed in their environment.