by Cody Dumont
February 27, 2014
Organizations today are often required to be compliant with more than one standard or framework. Tenable.sc provides an understandable and easy to deploy mechanism that reports on several compliance standards at one time. This report provides a summary view of all supported compliance standards and frameworks.
This report provides a summary view of all supported compliance standards and frameworks. Each of the standards have been grouped into 5 categories, which allows each organization to select the standards and categories that apply to their own business requirements. Each category is represented in a separate chapter (as shown below in the chapter descriptions) with separate sections for each compliance standard.
Tenable.sc is preconfigured with over 500 audit files, many of which are developed to support the Center for Internet Security (CIS) Benchmarks. Each benchmark is then compared against all the supported standards and the cross-reference field is mapped accordingly. Using the CIS Benchmark audit files ensures all supported standards are checked. This cross-reference feature allows customers to run a single scan and audit the system configurations against Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPPA), International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) (ISO/IEC) 27000, and many others.
CIS Benchmark files are created for common operating systems and some critical business applications such as SQL servers. Therefore, when attempting to perform compliance scanning, organizations should select the CIS benchmark that is closely related to the operating system used by the audit file. Scans with audit files require admin credentials to verify the configuration settings. To save even more time, organizations can add audit files to their vulnerability scans, as the audit files are smart enough to only be executed on the supported operating systems. For example, Windows 7 audit files are not run on Windows 2008 server. This functionality brought together in a single report enables compliance managers to easily understand cross compliance requirements and report as required.
The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Tenable.sc Continuous View (Tenable.sc CV) measures compliance in real-time without human intervention, allowing the organization to identify gaps and lapses are detected and prioritized immediately. With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, Tenable.sc CV provides the best solution for managing compliance with regulations. Tenable provides peace of mind to customers, because Tenable.sc CV detects security and compliance issues before our competitors.
Chapters
Executive Summary: This chapter provides executive teams with a high level view of compliance status across multiple supported standards. All compliance checks are shown in a collective matrix, followed by trend analysis.
National Institute of Standards and Technology (NIST): This chapter provides compliance data on publications maintained by the National Institute of Standards and Technology (NIST). Organizations can use this information to understand how their systems are compliant with government standards and configuration catalogs, such as NIST 800-53 and CSF. All standards covered in this chapter use the NIST 800-53 catalogs to help establish a framework to assist in verification of best practices throughout the network. Each section provides data focused on a specific standard and offers host and configuration tables.
Industry Compliance Standards: This chapter provides compliance information for many of the industry standards such as Control Objectives for Information and Related Technologies (COBIT), Critical Security Controls (CSC), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), and Payment Card Industry Data Security Standard (PCI-DSS). While also providing some data on governance standards such Bundesamt für Sicherheit in der Informationstechnik (BSI) IT-Grundschutz Methodology and Health Insurance Portability and Accountability Act (HIPAA). Many of these frameworks were developed by the industry to avoid government-imposed regulation, such as PCI, while others were created by the industry after legislation was passed, such as HIPAA. Regardless of the initial development cause this standards are designed to work in a specific environment such as commerce or health care. Each section provides a focused data on a specific standard, and offers a host and configuration tables.
DoD (STIG) Audit Checks: This chapter covers the DoD required Security Technical Implementation Guide (STIG). The chapter is broken down into 3 sections, one reporting using the Department of Defense Instruction (DoDI) 8500.2 Information Assurance (IA) Implementation, followed by the CAT vulnerability ratings, and the other using ID labels found in the SCAP files. These audit results are mostly useful to DoD organizations or companies that must maintain compliance with DoD standards.
Vendor: This chapter provides focus into compliance standards that are established by vendors. The two sections are SWIFT and VMWARE. Over time, as more vendor compliance standards are supported, additional sections will be added to this chapter. The data in this chapter is only useful to those organizations, which deploy the respective vendors solutions.
International: This chapter provides focus into compliance standards that are established by International organizations or governments. The four sections cover IT-Grundschutz BSI-100-2, China Level 3 (CN-L3) Security Controls, ISO/IEC-27001, and the Taiwan Bankers Association (TBA). Each of these sections provide a summary matrix followed by more detailed tables of affected hosts and compliance settings.