This is the second in a four-part series on the vulnerability management reporting capabilities of InsightVM.
If you operate in any sort of regulated industry—which is the majority of companies today—you’re likely beholden to compliance frameworks that require you to build your systems based on industry-standard benchmarks. So, you scour the documentation, implement the recommended protocols, then realize you have no way to prove your accomplishments or know whether any deviations have occurred over time that need to be addressed.
Benchmarks such as the popular CIS benchmarks are a great frame of reference for building your systems securely. Many regulatory requirements, such as the PCI-DSS, have requirements for hardening systems to an industry-accepted standard. However, having the ability to demonstrate whether your systems stand up or whether you deviate from them requires having particular reporting capabilities. If you are an InsightVM customer, you can run the Policy Compliance Status Report to document exactly this.
In this post, we’ll show you what this report entails and how it can help you validate your status and meet particular compliance requirements.
About the report
The InsightVM Policy Compliance Status Report specifically measures benchmark configurations of your systems by analyzing your configuration management, then showing you how your systems match up to the industry-standard benchmarks. This can help you quickly pinpoint where there are deviations and whether they need to be fixed in order to remain compliant or pass an audit.
After setting up InsightVM or configuring your systems, you can run an initial report to see where you stand. As your systems change and improve over time, you can continue to run these reports to keep your benchmarks in check and always be in the know.
Measuring up to compliance benchmarks
Though the CIS benchmarks are by far the most popular of all, we also measure against benchmarks using the United States Government Configuration Baseline (USGCB), Federal Desktop Core Configuration (FDCC), and Defense Information Systems Agency Security Technical Implementation Guides (DISA-STIG). We support all of these popular industry benchmarks to meet your needs in building secure systems based on any of these peer-reviewed standards.
These standards are driven from each of these bodies by a panel of experts who determine what best practices and a secure configuration look like at a system level. InsightVM takes these benchmarks, which document each required setting, and measures your systems against them, allowing you to see what you're missing from these secure configurations.
How to measure your systems to a compliance benchmark
You will select which compliance benchmark you want to be measured against. Here is a guide for setting this up.
When you generate the Policy Compliance Status Report, the first thing you’ll see is the percentage of your systems that are compliant and noncompliant. This gives you a bird’s-eye view so you can quickly determine how far off you are (or aren’t!) and will help you scope out what work needs to be done.
You can also drill down to see how your systems measure up to each of the individual policies in your selected benchmark framework. This information is useful as you begin to take action so you can zero in on what can be done to fix any deviations.
Of course, industry standards can be extremely stringent, and you may have more custom needs the standards don’t speak to. In that case, you can take a risk-based or need-based approach and allow a deviation from these standards. In the InsightVM report, you can represent these as overrides so that it’s clear where this occurs and why. See this guide on setting up policy overrides. You can also customize some of the policy values or turn rules off and on, if they do not apply to your environment. Additionally, InsightVM allows you to measure up to your own policies, such as those defined by Windows Group Policy.
Want to learn more about InsightVM reports? Check out Part 1 of this series, "New InsightVM Executive Report Provides Key Details on Team Progress."