6 Policy Management

Policy Management relates to your Compliance Policy frameworks, policies, and controls. This is opposed to Operations Management as discussed in Chapter 5, "Operations Management" which relates to the configuration aspects of the Configuration Change Console that relate to your physical infrastructure and how it should be monitored.

Frameworks

The Framework screen displays policy frameworks available in the product. There are predefined frameworks that come with the product as templates and there are custom frameworks which are frameworks that you can create.

A Framework is simply a grouping used to contain policies. Frameworks are intended to mirror your compliance framework used in your organization. For instance, you may use the COBIT, COSO, or PCI framework. Each of these is an example of what a framework in this product would be.

Configuration Change Console comes with a set of predefined frameworks which can be used to create custom frameworks specific to your environment. Once a custom framework has been created, it will be displayed on the Framework screen. Only custom frameworks may be used for reporting purposes. In order to use a predefined framework, you first need to save the predefined framework as a custom framework and modify it as necessary.

A user can create as many frameworks as necessary if they follow more than one policy framework. For instance, a large company may use both SOX and PCI frameworks for different parts of their environment.

To access this screen, navigate to Policy --> Policy Management --> Frameworks.

The frameworks screen lists all predefined frameworks. You can choose the view drop down in the filter bar to see predefined frameworks instead. Predefined frameworks cannot be instantiated in your environment, but they can be copied to a new custom framework.

The fields shown on this screen are listed below:

• Framework - The name of the framework. A framework name must be unique from all other framework names defined through this screen.

• Description - User-entered descriptive field of the framework for reference.

• Policies - A count of custom policies that have been created that are part of this framework. A policy is only part of one framework. However you can have two policies with the same name if they belong to different frameworks.

  Clicking on the count link will display the Policy Listing screen which will be filtered by the selected framework.

The filter bar allows you to change the view for this screen. The following are the two views available.

• Predefined Frameworks - Lists only predefined frameworks that come prepackaged with the product. From here, you can navigate and view policies and controls that are defined for the framework, but you cannot use them for reporting. You need to find a framework to use and then on the framework edit screen click the Save As button to save this framework as a custom framework.

• Custom Frameworks - Custom frameworks are the frameworks that you create that match real life policy frameworks in your organization. They can be based on industry standard frameworks like PCI, COBIT, COSO, or can be custom in-house structured frameworks.

Modifying or Creating New Frameworks

To access this screen, navigate to either Policy -> Policy Management-> Frameworks > Add Custom Framework or Policy -> Policy Management-> Frameworks > Framework name link.

The Add or Update Framework screen allows an administrator to create or update a framework. A Framework is simply a grouping used to hold policies. Frameworks should mirror your compliance framework used in your organization. For example, you may use the COBIT, COSO, or PCI framework.

Once you create a framework, you then create (or copy from predefined frameworks) policies that comprise the policy framework you are going to use.

The following fields are displayed:

• Framework - Name for the framework.

• Description - Brief note describing the function of the framework.

• Framework Text - This can be a much more detailed description of the framework describing the use cases and purpose of the framework.

Note:

An asterisk next to a field indicates required input.

Copying a Framework

Use the following steps to copy an existing predefined or custom framework.

Click on the Save As button when viewing the Add or Update Framework screen for a custom or predefined framework.

Change the name and descriptive fields as necessary. Check the appropriate check boxes indicating what other objects you want to save when copying the framework. These check boxes are mutually inclusive, in other words, you cannot copy controls without also copying policies.

• Policies - Will additionally make a copy of all policies and assign them to the new framework name

• Controls - Will make a copy of all controls and assign them to each policy that is also copied.

  Selecting this option should be used with care. In normal situations, controls can be shared across policies. Checking this box will actually copy all of the controls rather than mapping already existing ones, so you will have a new version of the controls with the string copy of prepended to each control.

• Components - Will also copy the components assigned to the controls if you check this check box.

Click Save to save the changes or Reset to reset the fields. You can click Cancel at any time to exit the screen without saving the copy.

Policies

To access this screen, navigate to Policy --> Policy Management --> Policies.

The Policies screen displays compliance policies available in the product for reporting. There are policies that are predefined that come with the product as templates and there are custom policies which are the ones that you can create.

A policy in the console maps directly to the compliance policies you use in your organization. For instance, there is a "Manage Installation" policy in the COBIT standard framework. This would be one policy configured on this screen.

Configuration Change Console comes with a set of predefined frameworks each with their own policies, which can be used to create custom policies specific to your environment. Once a custom policy has been created, it will be displayed on this Policies screen. Only custom policies may be used for reporting purposes. In order to use a predefined policy, you first must save the predefined policy as a custom policy and modify it as necessary.

A user can create as many policies as necessary to map to their internal compliance structure. The fields shown on this screen are displayed below:

• Framework - The name of the framework the policy belongs to. A policy can only belong to one framework. It is possible however to have many policies with the same name as long as each belongs to a different framework.

• Policy - The name of the policy. A policy can only belong to one framework. It is possible however to have many policies with the same name as long as each belongs to a different framework.

  The link on this field takes the user to the Add or Update a Policy field where the user can modify the existing policy or save a copy as a new policy.

• Description - User-entered descriptive field of the policy for reference.

• Controls - A count of custom controls that have been created that are assigned to this policy. A control can be shared across many framework/policy combinations.

Clicking on the count link will display the Controls listing screen which will be filtered by the selected framework and policy.

The filter bar has a field that allows you to change the view for this screen. The following are the three views available:

• Predefined Policies - Lists only predefined policies that come prepackaged with the product. From here you can navigate and view controls that are already defined and assigned to the policy, but you cannot use them for reporting. You must find a policy you would like to use, and then on the policy edit screen click the Save As button to save this policy as a custom policy.

• Custom Policies - Custom policies are the policies that you create that match real life policies in your organization. They can be based on industry standard framework policies like COBIT's "Manage Installation", or can be custom in-house structured policies.

• Framework - This filter option lets you see only policies associated with a specific framework. This is useful if your organization uses more than one framework for compliance reporting.

Modifying or Creating New Policies

To access this screen, navigate to either Policy -> Policy Management-> Policies > Add Custom Policy or Policy -> Policy Management-> Policies > Policy name link.

The Add or Update a Policy screen allows an administrator to create or update a policy. A policy in the console maps directly to the compliance policies you use in your organization. For instance, there is a "Manage Installation" policy in the COBIT standard framework. This would be one policy configured on this screen.

Once you create a policy, you then create (or copy from predefined policies) controls that will be assigned to components defined to mimic your organizations applications components.

The following fields are displayed:

• Policy Name - Name for the policy

• Framework - Drop-down list that allows you to select which framework to which this policy belongs. You cannot create a policy without at least one custom framework already existing

• Description - Brief note describing the function of the policy

• Policy Text - This can be a much more detailed description of the policy describing the use cases and purpose of the policy

• Reference URL - A URL that will be used to link the user to a document or application that contains the policy details

• Owner - An assigned owner of the policy selected from configured people in the Console product

Note:

An asterisk next to a field indicates required input.

Copying a Policy

Follow these steps to copy an existing predefined or custom framework:

1. Click on the Save As button when viewing the Add or Update Policy screen for a custom or predefined policy.

2. Change the name in the Save As Name field and descriptive fields as necessary

3. Check the appropriate check boxes indicating what other objects you want to save when copying the policy. These check boxes are mutually inclusive. In other words, you cannot copy components without also copying controls.

   • Controls - Will make a copy of all controls and assign them to each policy that is also copied

     Selecting this option should be used with care. In normal situations, controls can be shared across policies. Checking this box will actually copy all of the controls rather than mapping already existing ones, so you will have a new version of the controls with the string copy of prepended to each control.

   • Components - Will copy the components assigned to the controls also if you check this check box.

4. Click Save to save the changes or Reset to reset the fields. You can click Cancel at any time to exit the screen without saving the copy.

Controls

The Controls screen displays compliance policy controls available in the product for reporting. There are controls that come predefined with the product as templates and there are custom controls which you create manually or can be created by copying a predefined control.

A control in the console maps directly to the granular policy controls that you use in your organization. For instance, there is a "Testing Changes" control wich is part of the Cobit "Manage Installation" policy in the COBIT standard framework. A control is the most granular element in the compliance mapping capability of the product. Controls are mapped to components so that events that happen to each component can be reported against those mapped controls. This mapping relationship is effectively what relates an event to a policy.

Configuration Change Console comes with a set of predefined controls, which can be used to create custom controls specific to your environment. Once a custom control has been created, it will be displayed on the Controls screen. Only custom controls may be used for reporting purposes and mapped to components. In order to use a predefined component, you first need to save the predefined component as a custom component and modify it as necessary.

A customer can create as many controls as necessary to map to their internal compliance structure. A single control can also be assigned to any number of policies. For instance, you may have two policies that both have the same Emergency Changes control.

The fields shown on this screen are displayed below:

• Control - The name of the control. A control can be assigned to many policies. Clicking on this control name to get to the Add or Update Control screen displays the policies to which this control is mapped

• Version - A user-defined version for this control

• Description - User-entered descriptive field of the control for reference

• Components - A count of components that have been created that are assigned to this control. All instances of the component are assigned to the control automatically. Any event that happens to a component will be mapped to the controls that are assigned to the component

Clicking on the count link will display the Assign Components to Control screen where the assignments can be modified.

The filter bar displays a field that allows you to change the view for this screen. The following are the options available:

• View > Predefined Policies - Lists only predefined controls that come prepackaged with the product. From here, you can navigate and view controls that are already defined but you cannot use them for reporting. To save a control as a custom control, find a control you would like to use and on the control edit screen click the Save As button.

• View > Custom Policies - Custom controls are controls that you create that match real life policy controls in your organization. They can be based on industry standard framework policy controls like COBIT's "Emergency Changes" control which is part of the Manage Installation policy, or can be custom in-house structured components.

• Framework - This filter option lets you see only controls associated with a specific framework. This is useful if your organization uses more than one framework for compliance reporting.

• Policy - This drop-down list lets you filter the controls to view only controls that are mapped to a specific policy. Since controls can be mapped to multiple policies, it is possible to see the same results even if you change the policy drop-down filter.

Modifying or Creating New Controls

To access this screen, navigate to either Policy -> Policy Management-> Controls > Add Custom Control or to Policy -> Policy Management-> Controls > Control name link.

From the Add or Update Control screen, you can define a control that will later be associated with a component. Enter or select the following parameters:

• Control Name - Original name for the control you are copying

• Version - A user-defined version number for the control used to distinguish multiple iterations of the same control that may be in use at the same time in an organization

• Description - Brief note describing the function of the control

• Control Text - This can be a much more detailed description of the control describing the use cases and purpose of the control

• Document URL - A URL that will be used to link the user to a document or application that contains the control details

• Policies - Select the Framework/Policy combinations to which you want to assign this control. You can select more than one by holding down the Control (CTRL) key while you select

You can unselect all by clicking on the None line at the top without holding down the Control (CTRL) key.

Copying a Control

To access this screen, navigate to Policy -> Policy Management-> Controls > Control name link > Save As button.

The Copy a Control screen allows an administrator to copy an existing custom or predefined control. A control in the console maps directly to the granular policy controls that you use in your organization. For instance, there is a "Testing Changes" control which is part of the COBIT "Manage Installation" policy in the COBIT standard framework. A control is the most granular element in the compliance mapping capability of the product. Controls are mapped to components so that events that happen to each component can be reported against those mapped controls. This mapping relationship is effectively what relates an event to a policy.

When you view one existing custom or predefined control and click the Save As button to make a copy, the following fields are displayed. Filling out this form and clicking Save will create the copy.

The following fields are displayed:

• Control Name - Original name for the control you are copying

• Save As Name - The name you want to give to the new custom control this copy will be saved as

• Version - A user-defined version number for the control used to distinguish multiple iterations of the same control that may be in use at the same time in an organization

• Description - Brief note describing the function of the control

• Control Text - A more detailed description of the control describing the use cases and purpose of the control

• Document URL - A URL that will be used to link the user to a document or application that contains the control details

• Policies - Select the Framework/Policy combinations to which you want to assign this control. You can select more than one by holding down the Control (CTRL) key while you select. You can unselect all by clicking on the None line at the top without holding down the Control (CTRL) key

• Include - Choose whether you want to also copy the components that are assigned to the control

Assigning Components To a Control

To access this screen, navigate to Policy -> Policy Management-> Controls > Components count link.

This screen enables you to change the components that are assigned to this control. Control assignment is how component changes get reported up through the control/policy/framework reporting structure. For instance, to report changes on the top level dashboard, you must assign components to a control and likewise have that control assigned to a policy. Through the component screens, you can also assign controls to components in the other direction.

The subtitle of the screen provides a context for the control to which you will be assigning components. For example:

Control: Application Change

Click on + to expand the Component Types to view the list of components of each type. Already selected components will be both checked and listed in a bold font.

Select the components to assign to the control by using one of these methods:

• Clicking the check box for the control

• Clicking the Selection Helper link to select a group of templates based on pattern matching. Note that pattern matching is case sensitive