Compliance Toolkits
Configuresoft's Center for Policy & Compliance (CP&C) regularly researches and delivers productized security, regulatory, and operational compliance knowledge via Compliance Toolkits. Each toolkit consists of a set of rule-based templates, reports and dashboards which easily plug into ECM to ensure security and operational compliance within a focused area.
Freely available to our customers, CP&C compliance toolkits can be downloaded from our secure customer portal.
CP&C Compliance toolkits include:
Conficker Detection
This package will assess Windows systems for the possible presence of the Conficker (aka Downadup) worm. The worm takes advantage of systems not patched with Microsoft patch MS08-067. This package checks for three specific system attributes: the presence of patch MS08-067, the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]", and the netsvcs service. In addition, this worm can take advantage of Windows' Autorun capability, allowing removable media to infect systems easily when inserted. This package will also check to see whether Autorun is enabled on your system. If disabling Autorun is allowed by your corporate policy, Configuresoft's CP&C recommends that you disable it to prevent attacks of this kind from occurring.
IE 8 Blocker Toolkit
The Internet Explorer 8 blocker toolkit can be implemented to prevent the installation of Microsoft's latest browser, IE8. This is accomplished by creating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0 registry key with the entry and value "DoNotAllowIE80 = 1". This is supported on Windows 2000 and later systems.
Energy Savings Toolkit
The Green IT Energy Savings Toolkit is a package of reports that provides visibility into specific system attributes and settings that organizations can use to measure power consumption. This toolkit also includes Compliance templates to enforce power settings to enable monitor power-off, power down computers after shutdown and remove power options icon from the control panel to limit users ability to alter power settings. This package includes reports for processor utilization and server class identification. The server class report leverages IDC definitions for systems as high-end, mid-range, and volume servers; larger servers consume more power than lower-end volume servers.
PCI DSS
Comprehensive series of automated checks and controls that correlate and map to the requirements for security hardening as defined by VISA, Mastercard, American Express, Diners Club, Discover and JCB. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.
CIS Benchmarks for Windows
Comprehensive sets of automated checks and controls that address a number of distinct Windows technical security settings for Windows 2000 (Professional and Server), XP, and 2003 Server platforms. The CIS Windows Toolkits are designed to provide Configuresoft customers with the ability to quickly assess the security configuration of Windows systems against CIS best practices by translating the guidelines into actionable, continuous compliance rules. These rules allow you to ensure that your actual enterprise security configuration settings correspond with the recommended hardening values.
CIS VMware ESX Server Benchmark
The CIS VMware ESX Server Benchmark Hardening Toolkit is a compilation of security configuration actions and settings that can be used to lock down, or "harden" VMware ESX Server systems in accordance with the CIS VMware ESX Server Benchmark v1.0, released October 18, 2007. This comprehensive series of controls addresses file permissions, user accounts, kernel settings, and a number of other specific ESX attributes that can be secured as part of an overall security and compliance strategy in virtual server environments.
CIS AIX Compliance Toolkit
The Center for Internet Security (CIS) configuration standards are among the most widely-recognized and generally accepted system and application hardening guidelines available. The CIS AIX Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the IBM AIX Unix platform. This toolkit is based on benchmark version 1.01, dated 10/21/2005, and supports AIX versions 5.3 and earlier.
CIS Red Hat Linux Compliance Toolkit
CIS Red Hat Linux Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for Red Hat Linux version 5 platform.
CIS Solaris Compliance Toolkit
The CIS Solaris Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the Sun Solaris platform. This toolkit is based on benchmark version 4.0, dated 11/1/2007, and supports Solaris 10 updates 11/06 and 8/07 as well as several previous versions.
CIS SUSE Linux Compliance Toolkit
The CIS SUSE Linux Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for SUSE Enterprise Linux platforms. This toolkit addresses configuration settings for most SUSE Linux Enterprise Server versions up to SLES 10 SP1. The toolkit includes checks for system and kernel information, services enabled, file system settings and permissions, authentication and authorization, users and groups, and others.
CIS HP-UX Compliance Toolkit
The CIS HP-UX Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the HP-UX platform. This toolkit is based on benchmark version 1.4.2, dated 6/3/2008, and supports HP-UX versions 11.11, 11.23, and 11.31 as well as several previous versions.
SOX
Comprehensive series of automated checks and controls that correlate and map with the COSO/COBiT framework, supported by best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the SOX regulation.
HIPAA
Comprehensive series of automated checks and controls that correlate and map to the Department of Human Health and Services, along with best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet the HIPAA regulation.
GLBA
Comprehensive series of automated checks and controls that correlate and map to technical controls required by Graham-Leach-Bliley. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the GLBA regulation.
FISMA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing
Comprehensive series of automated checks and controls that correlate and map to industry best practices, along with mandates defined by NIST 800-53. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FISMA compliance.
DISA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing
The DISA Security Technical Implementation Guides (STIG) template is a comprehensive series of automated checks and controls for security hardening as developed by DISA and the NSA and endorsed and published by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.
ISO17799/27001
Compliance template provides organizations with the ability to quickly assess the security configuration of Windows NT4, 2000, 2003, XP and Vista systems against ISO recommended best practices. The template translates the ISO 17799\27001 guidelines into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.
Microsoft Hardening Guidelines
Compliance template provides organizations with the ability to quickly assess the security configuration of Windows 2000, 2003, XP and Vista systems against Microsoft recommended best practices. The template translates the Microsoft Windows Security and Hardening Guide into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.
Microsoft Windows 2008 Server Hardening Guidelines for Domain Controllers
The Microsoft Windows 2008 Server Hardening Guidelines package for Domain Controllers is designed to provide Configuresoft customers with the ability to quickly assess the security configuration of Windows 2008 domain controller servers against Microsoft recommended best practices. The toolkit translates the Microsoft Windows Server 2008 Security Guide into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening value. This toolkit provides specific guidance for hardening Active Directory Domain services, as well as guidance on disabling and hardening traditional services such as DNS, DHCP, and Terminal Services. Also included are guidelines for securing general Windows Server 2008 platform controls that enable proper file and system-level access controls, network services protection, and many others.
NERC/FERC
Comprehensive series of automated checks and controls that addresses a number of requirements within the eight CIP standards. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for NERC/FERC compliance will consistently meet the standard.
FFIEC Compliance Toolkit
The Federal Financial Institutions Examination Council has created a number of guidelines applicable to the finance and banking industries. In July 2006, the FFIEC released its Information Security booklet, intended to help banking and financial organizations comply with Gramm-Leach-Bliley standards such as 501(b) and develop a process for assessing and securing computing assets. The FFIEC Compliance Toolkit is a comprehensive series of automated checks and controls that addresses a number of requirements within the Information Security handbook. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for FFIEC compliance will consistently meet the standard.
FDCC Compliance Toolkit for Windows
The Federal Desktop Core Configuration (FDCC) template is a comprehensive series of automated checks and controls for Windows XP and Windows Vista desktop systems that directly aligns with the FDCC mandate defined by the Office of Management and Budget (OMB). This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FDCC compliance.
VMware Hardening Guidelines
Comprehensive series of automated checks and controls that correlate and map to VMware Infrastructure 3 Security Hardening guide. Template allows organizations to evaluate access controls, file permissions, networking components, audit and security policy controls, as well as performing automated access change monitoring for virtual machines, VMware Service Console, ESX Server host and VirtualCenter components.
Customer Quote
With the weekly announcement of security bulletins, new vulnerabilities and changes to regulatory mandates, organizations have two choices: become security experts or leverage industry experts to implement effective compliance solutions. The Center for Policy & Compliance (CP&C) was established to offload security organizations from having to become security experts and instead, focus attention on their business.
CP&C Experts participate in a wide variety of activities, including sitting on industry standards boards, authoring trade journal articles, conducting compliance training, delivering speeches at industry conferences and symposiums and engaging in customer compliance implementation consultations.
