Space banner This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Overview of Compliance management

BMC Client Management provides you with two different ways to make sure your IT environment is compliant with all necessary rules and regulations:

  • Custom Compliance
  • SCAP Compliance

Custom Compliance

Custom compliance in CM allows to evaluate the current situation of the network population about their compliance. The agent collects information about the devices via which it then defines if a device is compliant with company policies and regulations or not. If not, it can restrict its accesses and operations.

The calculation of compliance in BMC Client Management - Compliance Management is based on a number of specifically defined criteria. The values for these are located in the different inventories available in the console and the database. This information is collected by the agent via operational rules that are executed on the devices in your network and then uploaded to the master database. After the information is available, the compliance rules can calculate the compliance of a device about specific aspects of its configuration.

SCAP Compliance

The Security Content Automation Protocol (SCAP) is a specification established by the National Institution of Standards and Technology (NIST). In general, it was established to express and manipulate security data in standardized and automated ways and therefore contains elements of vulnerability, asset and configuration management. More precisely, SCAP enumerates product names, software flaws and configuration issues, identifies the presence of vulnerabilities and assigns severity scores to vulnerabilities. By that, SCAP makes it easier for organizations to automate ongoing security monitoring, vulnerability management and the reporting of the security policy evaluation.

SCAP 1.2 consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. It is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

The SCAP components were created and are maintained by several entities, including the MITRE Corporation, the National Security Agency and the Forum of Incident Response and Security Teams (FIRST). As a result, the SCAP components are individually maintained specifications which standardize the security information we communicate (content) and how we communicate and use security information (tools/content processing). SCAP also comprises standardized referenced data, for example the National Vulnerability Database (NVD) of the US government.