Compliance Summary Report

by Cody Dumont
February 27, 2014

This report provides a template for reporting on 13 compliance standards. Each compliance standard is summarized with historic matrix, host summary table, and the compliance check summary table.  The report is designed to provide a full report or a subset of reporting. The compliance officer or security manager can import this report using the app feed, and by selecting the specific chapters, the report can be easily customized.  

The report is available in the SecurityCenter 4.7 Report app feed, an app store of dashboards, reports and assets.  The report requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4

Nessus uses the audit files to check systems for compliance with a variety of standards.  The audit files are constantly being updated as new compliance standards are formalized and released.  The report also includes an executive summary chapter with a trend graph and descriptive tables providing an executive view of the compliance status, thus allowing the executive to install this report and only select the Executive summary chapter for the report.  The compliance standards reported on using this report are:  

  • 8500.2 - DoDI 8500.2, Information Assurance (IA) Implementation.  This directive provides overview all information assurance configurations and implementation standards for the DoD.   The various controls are broken down into "Subject Areas" with assigned controls.  For example, DC = "Security Design & Configuration" and DCPD-1 = "Public Domain Software Controls".
  • 800-53 - NIST Special Publication 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations, provides a catalog of security and privacy controls for federal information systems and organizations.  The publication outlines a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.
  • BSI-100-2 - The IT-Grundschutz Standards and Catalogues are a set of recommendations designed to assist an organization in achieving an appropriate security level for information throughout an organization. The Federal Office for Information Security (BSI) in Germany develops and maintains the BSI Standards, of which IT-Grundschutz is a part, with the providing methods, processes, procedures, and approaches to information security management, risk analysis, and business continuity management.
  • CAT - Findings from the STIG are grouped into three Categories (CAT) based on the severity of the weakness.  CAT I findings are those that allow an attacker to gain immediate access to a system or component, and are considered a HIGH severity.  CAT II findings are those that provide information about the system or component and therefore have a high potential of allowing unauthorized access to an intruder.  CAT III findings are those that give away enough information for an intruder to compromise the system or component.
  • CCE - Common Configuration Enumeration (CCE) provides a framework for mapping security related system configuration issues across multiple information sources and tools. An example of how CCE are used is to map configuration settings between best practice documents, such as NIST 800-53.  CCE also helps enable the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP).  [https://cce.mitre.org]
  • CCI - The Information Assurance Support Environment (IASE) uses the Control Correlation Identifier (CCI) to provide a standardized identifier and description for each of the singular, actionable statements that comprise an Information Assurance control or best practice.  CCI helps to connect high level policies to technical configuration. 
  • CIS Level - The Center for Internet Security maintains a series of configuration benchmarks.  These benchmarks cover the configuration of many systems and applications.  The benchmarks have two configuration levels, Level-I and Level-II.  Level -I are practical, prudent, and provide a clear security benefit, while the Level-II benchmarks are more likely to negatively inhibit the system or application, and provide a clear security in-depth measure.
  • HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities".  PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.  The information systems used to process and store PHI are to be configured with the defined guidelines covered by HIPAA.
  • PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards required by major credit card companies to protect cardholder data. Every business that accepts, stores, and transmits credit card data must comply with the PCI DSS.
  • PCI-2.0 - Checks specific to PCI version 2.
  • PCI-3.0 - Checks specific to PCI version 3.  This is the latest version of the PCI DSS standard.
  • SANS-CSC - The Critical Security Controls (CSCs) were created by a consortium of international agencies and experts from private industry and around the globe to simplify the most critical controls needed around all industries.  The framework takes an "offense must inform defense" approach to prioritizing controls that would have the most impact on reducing risk against real-world threats.
  • STIG-ID - The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (S-CAP) in order to be able to “automate” compliance reporting of the STIGs. [http://iase.disa.mil/stigs/] 

The components in this dashboard use newly updated audit files (released after 1 July 2013), which incorporate a new reference tag that maps many audit checks to a respective standard.  In the case of this dashboard, the audit files must contain “800-53|AC-1” on the reference line of the applicable audit check. 

 For example, ‘reference: CCE|CCE-8912-8,800-53|IA-5,PCI|8.5.12,800-53|CM-6’ 

 In the screen shot below, you can see the reference added.

Compliance Summary Screen Shot Vulnerability Text Summary

 Please note that if you are creating you own filters and reports, the “800-53: AC-2” shown in the example is actually “800-53|AC-2” in the data query.