Dashboards provide a high level view of how changes in your environment are affecting your compliance policies and controls. The top level dashboard shows a series of dials that relate to a policy. All of the displayed dials belong to the same Framework. By default, a Generic framework with its own policies and controls comes packaged with the product. You can configure Frameworks, Policies and Controls to mimic the compliance structures used in your own organization like PCI, COBIT, ITIL, COSO, and so on.
Each policy dial has an associated Details link, described later in this chapter.
From the top level dashboard, select the Framework that displays the policy for which you want to see a report.
The default framework that ships with the product is called the Generic Framework. It is a starting point that you can use in creating your own framework. The following predefined policies exist in this framework:
Segregation of Duties
Network and Security
This top level dashboard will display one dial for each of these policies of the selected framework. Each policy consists of one or many controls. It is the changes that are made against these controls that result in a good or bad value being displayed for the policy dial.
To modify or create a new framework, go to Policy --> Policy Management --> Framework.
The Policy Summary dashboard portlet displays several pre-defined policies with status gauges.
These gauges or dials provide a summary view of a policy's performance, as defined by configured thresholds. Each colored section remains fixed at one-third of the dial, while the needle moves to reflect the current status as it relates to the thresholds that have been configured for the policy.
If you do not integrate with a Change Management system, the Configuration Change Console calculates the gauge settings by using a rolling average, taking into account the number of days during which change has occurred and also the number of changes during that timeframe. This rolling average for a known time period is called a baseline. The dashboard automatically develops an internal model of your pattern of operations, based upon observations taken over the period of operation. When the system is first deployed, Configuration Change Console begins to generate the historical model. Within a short period of operation (days or weeks), the system begins to understand the site's patterns and then responds accordingly, setting the needle to represent a deviation from the baseline.
If you are integrating with a Change Management system, the dials will represent percentage of unauthorized activity as detected through the Change Management reconciliation. If you have a Change Management server integrated, you can also change this Policy Summary portlet to be based on a baseline view in addition to the CM View.
Use the Dashboard Threshold Configuration screen to establish the thresholds for the dials, You can access the screen by navigating to Administration --> Server Configuration --> Dashboard Threshold Configuration.
A policy represented by a single dial in the top level dashboard's policy summary has additional data that can be accessed by clicking on the Details link in the heading of the dial portlet. Clicking on this link takes you to the second level dashboard where you will see additional change details.
The main Monthly Control Status dashboard displays several additional graphs and lists. The panes to the right of the screen categorize relevant summaries and enable access to more detailed information.
To the right of the Policy Status portlet, a status box lists the five most recent and highest priority notifications. Click a specific alert to drill down to the next level of detail, the Notification Log.
The Notification Log includes an ID number followed by a message describing the activity. For example:
File c:\finance\bin\copy of personnel_details.txt of application GlobalPayroll on device CorpHR was modified by user ultrabiz\thomas.obon at 08/16/2006 22:18:17 GMT (Local OCC Time 08/16/2006 15:18:17 PDT)
This message includes:
Object Type - Lists the type of event that triggered the alert, such as file, process, or user login
Application - Denotes the specific application that was affected
Action - Describes the activity related to the object type; for example, created, modified, or logged in
Time - Lists the time the event occurred
The current day's most active applications are listed, along with associated event counts. Only applications that have been explicitly created for your environment will be shown in this list. For details on configuring an application, see Step 5: Applications.
Click on a specific application to view the Applications screen so that you can access the details.
Clicking on the Details link for a specific policy from the top level dashboard takes you to the second level dashboard. For the selected policy, several charts and graphs that provide an at-a-glance view of the data are shown. Just below the Change Status pie chart, four tabs enable access to change and compliance summaries organized by Control, Application, User, and Device.
To access this screen, navigate to Top Level Dashboard --> Policy Dial Details link.
Change Status Pie Chart. The green area of the pie chart shows the percentage of all events that are authorized, while the red area represents the percentage of all events that are unauthorized. Not Audited events are not shown in the pie chart. If you do not have a Change Management system, this pie chart is not shown.
Authorized/Unauthorized Changes Charts. The blue line on each column chart represents a rolling average for the selected time range. If you do not have a Change Management System, this blue line is flat, reflecting the baseline value for the entire range.
Each summary contains a table related to the particular dashboard control. Click on the column headers to sort the values from highest to lowest or to toggle back to a lowest-to-highest sorting order.
A control has a mapping to a component, which can be further expanded to reveal all the instances associated with the control.
Control -- Click a specific link in the Control column to display the Application Event Visualization view associated with the application group.
Status -- If you have a Change Management system, such as Remedy or Peregrine, the status column is calculated as:
status % = authorized/(authorized + unauthorized) * 100%
Any "not audited" events are not included in this calculation. If you do not have a Change Management (CM) system, the Authorized, Unauthorized, and Not Audited columns will display a "-" and the status is calculated as:
status % = (count/baseline - 1) * 100%
Note that without a CM system, the status percentage could be negative, depending on how the count deviates from the baseline value.
Refer to the legend to evaluate the symbols shown in this column.
Count -- The Count column simply displays the total number of events associated with each control; for example, the number of Database Privilege Changes. This data is collected by a configured agent.
Authorized/Unauthorized/Not Audited -- If you do not have a Change Management system, the Authorized and Unauthorized events columns will not be displayed. If you have a Change Management system, the count of each will be shown in the table and the status column will show compliance percentage based on percentage of authorized events.
Baseline -- This baseline value represents an average of event counts and does not relate to authorized, unauthorized, or unaudited events. The baseline value is the number of events typical for a given period. For example, if you are viewing a month of data, the baseline is the number of events that will be expected to occur during the range this view covers depending on your scale setting. Likewise, for days, the baseline is the average count of events by day, for all days in the range.
Priorities and Baseline Score -- If you have a Change Management Server, you will see columns labeled Priority 1, Priority 2. These priorities are related to Audit Actions. When an audit action is created, a notification priority is assigned to it. The Priority counts shown in this table reflect the number of events (process, file, login/logout, component internal) that are mapped to an audit action with the associated priority.
The Application Summary table lists active application groups, along with a total row. Each row in this table represents an application. The values shown with an application represent the data collected from the component instances associated with the application. Component instances that are not associated with an application are not included in these values. If a component instance maps to two different applications, the events are counted in each of its application rows in the table.
Except for the first column labeled Application, the other columns contain data as described under Control Summary.
The User Summary reflects all changes by the listed users: file, process, application internals, and logins/logouts. Except for the first column, labeled User, the other columns contain data as described under Control Summary.
The Device Summary table lists counts associated with the five most active device groups that contain component instances. See Control Summary for column details, except for the first two columns:
Device Group -- Click a specific link in the Device Group column to display the Server Event Visualization view associated with the application.
Control Instances -- The Control Instances show two numbers: X of Y, where:
Note:Because this table represents a subset of the entire group, as noted in the Control Instances column, the counts reflect a percentage of the instances within the device group.
The Most Active Users summary lists the five most active users for the current day, their associated direct access application or operating system, and the count of events. This list provides a view of changes across all devices and applications by a specific user name. Click on a specific user to display details via the User Event Visualization screen.
This list shows a summary of the account changes in the current day. The counts reflect the number of user accounts that were added, deleted, or modified.
This summary provides a basic list of database user activity for the current day: Users added/deleted, changed privileges, and the average session length.
The Most Active DBAs summary lists the five most active Database Administrators for the current day, along with an event count for each. The event count is a sum of the change counts for database internal changes and the login/logout events.
To enable adherence to IT Best Practices, you must be able to validate actual changes against approved change orders. The Change Management Portlets at the bottom of the second level dashboard help provides at-a-glance change status, with access to detailed views.
The data that is displayed depends on your particular environment. If you do not have a Change Management System, these portlets will not contain data. If, however, you have a Change Management System, you will see a rich set of graphs summarizing change activity.
Planned Changes - Next 7 Days -- This column chart shows future changes based on open tickets and the planned end time of those tickets. Emergency tickets are also factored into the counts since they have a planned end time. The chart represents seven days, starting with the current day at 12:00 a.m.
Ticket Details -- This chart displays the current counts for the following ticket states:
New - tickets that are open and do not have any authorized changes associated with them
Initiated - tickets that are open and have had at least one change authorized against them
No Changes - tickets that are now closed and had no changes authorized against them
Emergency - tickets that have an emergency status, but are not yet approved
Emergency/Approved - emergency tickets that have been approved
Resolution Time - Hours -- This chart augments the Ticket Details graph. Use this chart to evaluate your organization's responsiveness to change tickets. The resolution times take into account a ticket's planned start time until one of the following activities occurs:
First Change - The time is calculated from a ticket's planned start until the ticket's first authorized change event. The resolution time is an average of all tickets that match these criteria. For example, 8.4 hours means that all tickets, from create time to first change time, have an average resolution time of 8.4 hours.
Last Change - This category represents the time from "ticket planned start" until "last authorized event."
Emergency Ticket First Change - This is similar to First Change, but for emergency tickets only.
Emergency Ticket Last Change - This is similar to Last Change, but for emergency tickets only. For this count, emergency tickets must fit the following criteria: emergency ticket was approved and closed OR the emergency ticket is still open.
Emergency Ticket to Ticket Approval - This count represents an emergency ticket's time from planned start (or creation) until the ticket was approved.
Ticket Close - This resolution value is simply derived from ticket open to ticket close times.
Last Change to Close - This value is derived from the time of the last authorized event until the ticket close time.