Compliance Summary

by Cody Dumont
February 20, 2014

SecurityCenter and Nessus have to ability to check compliance with a variety of standards including HIPAA, NIST 800-53, PCI DSS, and DoDI 8500.2.  This dashboard shows the security manager a summary of the current compliance status.  

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.5
  • Updated Audit Files from the Support Portal (Release date after 1 July 2013)

Listed below are the included components:

  • Compliance Summary - Check Result Ratio : This component provides a ratio view of systems that have been checked for a variety of compliance standards.  The ratio bar provides a visual of the number of compliance checks that have either passed, failed, or that require some manual verification.
  • Compliance Summary - Standards Indicator: This component provides an indicator for the most widely supported compliance standards.  Each indicator will provide an easy mechanism to see a list of hosts applicable to each standard when the indicator is clicked on.
  • Compliance Summary - 25 Day Trend: This component provides a 25-day trend analysis for all compliance checks.  
  • Compliance Summary - Check Status: This component provides the security manager and compliance officer with a simple view of compliance with a variety of standards.  

Nessus uses the audit files to check systems for compliance with a variety of standards.  The audit files are constantly being updated as new compliance standards are formalized and released.  This dashboard provides a summary for the following standards:

  • 8500.2 - DoDI 8500.2, Information Assurance (IA) Implementation.  This directive provides overview all information assurance configurations and implementation standards for the DoD.   The various controls are broken down into "Subject Areas" with assigned controls.  For example, DC = "Security Design & Configuration" and DCPD-1 = "Public Domain Software Controls".
  • 800-53 - NIST Special Publication 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations, provides a catalog of security and privacy controls for federal information systems and organizations.  The publication outlines a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.
  • BSI-100-2 - The IT-Grundschutz Standards and Catalogues are a set of recommendations designed to assist an organization in achieving an appropriate security level for information throughout an organization. The Federal Office for Information Security (BSI) in Germany develops and maintains the BSI Standards, of which IT-Grundschutz is a part, with the providing methods, processes, procedures, and approaches to information security management, risk analysis, and business continuity management.
  • CAT - Findings from the STIG are grouped into three Categories (CAT) based on the severity of the weakness.  CAT I findings are those that allow an attacker to gain immediate access to a system or component, and are considered a HIGH severity.  CAT II findings are those that provide information about the system or component and therefore have a high potential of allowing unauthorized access to an intruder.  CAT III findings are those that give away enough information for an intruder to compromise the system or component.
  • CCE - Common Configuration Enumeration (CCE) provides a framework for mapping security related system configuration issues across multiple information sources and tools. An example of how CCE are used is to map configuration settings between best practice documents, such as NIST 800-53.  CCE also helps enable the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP).  [https://cce.mitre.org]
  • CCI - The Information Assurance Support Environment (IASE) uses the Control Correlation Identifier (CCI) to provide a standardized identifier and description for each of the singular, actionable statements that comprise an Information Assurance control or best practice.  CCI helps to connect high level policies to technical configuration.  
  • CIS Level - The Center for Internet Security maintains a series of configuration benchmarks.  These benchmarks cover the configuration of many systems and applications.  The benchmarks have two configuration levels, Level-I and Level-II.  Level -I are practical, prudent, and provide a clear security benefit, while the Level-II benchmarks are more likely to negatively inhibit the system or application, and provide a clear security in-depth measure.
  • HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities".  PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.  The information systems used to process and store PHI are to be configured with the defined guidelines covered by HIPAA.
  • PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards required by major credit card companies to protect cardholder data. Every business that accepts, stores, and transmits credit card data must comply with the PCI DSS.
  • PCI-2.0 - Checks specific to PCI version 2.
  • PCI-3.0 - Checks specific to PCI version 3.  This is the latest version of the PCI DSS standard.
  • SANS-CSC - The Critical Security Controls (CSCs) were created by a consortium of international agencies and experts from private industry and around the globe to simplify the most critical controls needed around all industries.  The framework takes an "offense must inform defense" approach to prioritizing controls that would have the most impact on reducing risk against real-world threats.
  • STIG-ID - The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (S-CAP) in order to be able to “automate” compliance reporting of the STIGs. [http://iase.disa.mil/stigs/]

The components in this dashboard use newly updated audit files (released after 1 July 2013), which incorporate a new reference tag that maps many audit checks to a respective standard.  In the case of this dashboard, the audit files must contain “800-53|AC-1” on the reference line of the applicable audit check.

For example, ‘reference: CCE|CCE-8912-8,800-53|IA-5,PCI|8.5.12,800-53|CM-6

In the screen shot below, you can see the reference added.  

Compliance Summary Screen Shot Vulnerability Text Summary

Please note that if you are creating you own filters and reports, the “800-53: AC-2” shown in the example is actually “800-53|AC-2” in the data query.