Policy Compliance

1 Qualys, Inc. Corporate Presentation

 Agenda

§ Qualys Unified Compliance Overview

§ Policy Compliance Sensors
§ Policy Compliance Application Setup
§ Compliance Overview & Qualys Control Library
§ User Defined Controls
§ Compliance Scanning
§ Policies
§ Compliance Reports

2 Qualys, Inc. Corporate Presentation

Qualys Training & Certification Portal

qualys.com/learning
1. Policy Compliance Lab
Tutorial Supplement
2. Policy Compliance Slides
for Lab Tutorials
 Play Lab Tutorials

4 Qualys, Inc. Corporate Presentation

 Qualys Unified Compliance Overview

5 Qualys, Inc. Corporate Presentation

 Qualys Unified Compliance Solutions

IT Compliance IT Compliance PCI DSS File

CloudView Out-of-band
Technical Administrative Compliance Integrity Configuration
Controls Controls Monitoring
Automate PCI Generate inventory Assessment
Automate risk compliance testing, of assets across
Define and monitor IT Log and track file
management process reporting and public clouds
security standards changes across
for third parties like submission Extract
aligned to regulations global IT systems
vendors, suppliers and Detect and respond configuration data
contractors. Benefit from the to from host assets.
Out-of-the-box content Out-of-the-box
Approved Scanning profiles to meet misconfigurations
to fast-track For disconnected or
Create campaigns Vendor (ASV) common and non-standard
assessments using air-gapped
with pre-built and requirements that deployments using
industry best practices compliance and
custom templates Qualys PCI fulfils Cloud Security networks.
audit
requirements Assessment

6
 Policy Compliance Sensors

7 Qualys, Inc. Corporate Presentation

 Compliance Delivered Through Multiple Sensors

Scalable, self-updating & centrally managed

Scanners Cloud Agents Out-of-band

Virtual or Hardware Light weight, multi-platform Extract IT, configuration,
and vulnerability data for
Legacy data centers On premise, elastic assets
cloud & endpoints
Corporate For disconnected (air-
infrastructure Real-time data collection gapped) networks

Continuous evaluation on
Continuous security
platform for security and
and compliance
scanning compliance

8 Qualys, Inc. Corporate Presentation

Scanner and Agent Sensors

Remote Users
LAN 1 • AWS
• Azure
• Google

LAN 2 DMZ

Qualys Cloud Platform

• Deploy Qualys Scanners and/or Agents, to collect compliance data points.

 OCA Architecture
Air-Gapped Network

• Highly Secure Devices

• Legacy Systems
• Highly locked down
systems
Data capture

1
Qualys Cloud Platform

Data transfer Tagging and Assessment

2 4
Data Upload
Internet Connected Network
3

Management Client

10 Qualys, Inc. Corporate Presentation

 Policy Compliance Application Setup

11 Qualys, Inc. Corporate Presentation

 Add Scannable Hosts

• Add “scannable”
hosts to Policy
Compliance (PC).
• Alternatively, add
hosts to Security
Configuration
Assessment
(SCA).

12 Qualys, Inc. Corporate Presentation

 Add Agent Hosts

• Install agent hosts with

an Activation Key that
has Policy Compliance
(PC) or Security
Configuration
Assessment (SCA)
enabled.
• Alternatively, you can
activate the PC or SCA
module after Cloud
Agent has been installed.

13 Qualys, Inc. Corporate Presentation

 Import
OCA Hosts

§ Use Qualys Out-of-

Band Configuration
Assessment (OCA), to
import host assets
into your Policy
Compliance
subscription.
 LAB Tutorial 1

Policy Compliance Assets

10 min. (page 3)

15 Qualys, Inc. Corporate Presentation

 Asset Groups
§ Asset groups allow you to manually group “scannable” assets in your
account.
§ Asset groups can contain a random collection of “scannable” assets or they
can be designed around specific characteristics, such as:
• Device type
• System priority or criticality 192.168.1.0/24
• Geographic or network boundaries
• Asset ownership
• and more ...

§ Asset Groups cannot be nested.

§ A matching Asset Tag is created for each Asset Group.

16 Qualys, Inc. Corporate Presentation

 Asset Tags
Asset Tagging provides a more flexible and scalable way label and organize the
assets in your subscription.
Automated
Static Tags discovery and
§ Assigned manually to host assets. tagging
§ Commonly used as the starting point of an Asset Tag
Hierarchy.

Dynamic Tags
§ Host assignment is determined by Asset Tag Rule
Engine.
§ Tags dynamically change with updates to host.

Asset Tag Hierarchy

§ Tags are typically nested, creating various parent/child
relationships.
§ Targeting a parent tag automatically includes its child
tags.

17 Qualys, Inc. Corporate Presentation

OCA Asset Tag

§ OCA Host will appear in your Policy Compliance subscription.

§ All OCA assets will automatically receive an OCA tag.
 Policy Scope
• Asset Groups and Asset Tags – define the “Scope” of a Policy

19 Qualys, Inc. Corporate Presentation

 LAB Tutorial 2

Policy Scope: Asset Groups & Tags

10 min. (page 6)

20 Qualys, Inc. Corporate Presentation

 User Privilege Hierarchy
Standard User Roles

Most privileged

Manager Subcription Management

Unit Manager Business Unit Management

Scanner
Compliance Scans Search the online help for
Network Discovery Maps “User Roles Comparison”
for a complete list.
Reader Compliance Reporting

Least privileged

21 Qualys, Inc. Corporate Presentation

 Auditor User Role
• Has oversight responsibility for the compliance process and is responsible for
approving exceptions
• Can create policies, controls and reports
• Cannot run Compliance scans or join a Business Unit
• Qualys Security Configuration Assessment (SCA) does not support the ”Auditor” role
and exception reporting.

22 Qualys, Inc. Corporate Presentation

 Add Users to Policy Compliance

• By default, Managers
and Auditors have
access to PC.
• Unit Managers,
Scanners, and
Readers must be
granted “extended”
permissions to access
PC.

23 Qualys, Inc. Corporate Presentation

 Compliance Overview & Qualys Control Library

24 Qualys, Inc. Corporate Presentation

 Qualys Policy Compliance

Policy Compliance
Define, Audit and Document IT Security Compliance

• Automates the assessment of thousands of technical security controls.

• Documents evidence where your organization has discovered and fixed

misconfigurations and lapses.

• Provides proof of compliance across multiple compliance frameworks and

mandates.

• Helps to configure and secure host systems, to guard against known threats.

25 Qualys, Inc. Corporate Presentation

 Path To Compliance 1. Data points are defined
within each CID in the
Control Library.

Qualys Control
Library (CIDs) 2. Compliance scan collects
ACTUAL “data points” from
target hosts.

3. Qualys Policy specifies the

EXPECTED values for all
host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED) 4. Policy Report compares
actual to expected values,
producing PASS/FAIL status

5. Interactive Reports are used

to request exceptions for
Policy Report Exceptions FAILED controls
(PASS/FAIL)

26 Qualys, Inc. Corporate Presentation

 Compliance Hierarchy - a “Top – Down” Approach
Regulations SOX CobiT PCI
Framework Level HIPAA COSO NIST
Frameworks NERC
GLBA ISO17799

Policies & A High-level description of your organization’s goals and

Business objectives for addressing security requirements within
Requirements applicable regulations and frameworks.

Standards, Specific and recommended steps for meeting objectives

Procedures & within your security policies (including specific software
Guidelines and technology requirements).

Baseline (minimum) requirements and configuration

Controls settings for securing and assessing OS and application
Detailed Technical
technologies.
27
 Control Library

§ Locate thousands of baseline configuration settings and controls in the

Qualys Control Library.

28 Qualys, Inc. Corporate Presentation

SCAP
Support
• Import policies from the
Qualys SCAP policy library.
• Upload your own custom
SCAP policies.
• Perform SCAP scans to
check compliance against
SCAP 1.0, 1.1, and 1.2.

Qualys, Inc. Corporate Presentation 29

 Control Library

• Controls are the building blocks of all policies

• Each control has a unique Control ID (CID)

Types of Controls:

System Defined Control (SDC) - These are controls provided by Qualys.

User Defined Control (UDC) - These are custom controls that users create.

30 Qualys, Inc. Corporate Presentation

 User Defined Controls

31 Qualys, Inc. Corporate Presentation

 User Defined Controls

§ User Defined Controls (UDCs) allow you to perform custom compliance

assessments of your unique systems and network environments.
§ UDC control types are available for Windows, Unix/Linux, and Database
technologies.
§ Successful UDC creation requires: 1) an understanding of compliance and
regulatory requirements and 2) technical systems and network configuration
knowledge.
§ Managers and Auditors can add UDCs to the subscription. You may also extend
this privilege to Unit Managers.
§ UDCs (and the Control Library) are exclusive to the Policy Compliance (PC)
application and are not available in Security Configuration Assessment (SCA).

32 Qualys, Inc. Corporate Presentation

 UDC Components

§ Statement or Title - Name that appears in the Control Library.

§ Category – Group controls of the same type.
§ Criticality – (1) Minimal, (2) Medium, (3) Serious, (4) Critical, (5) Urgent
§ Comments – Include text to quickly find your UDCs.
§ Reporting Options – Specify if/when to ignore errors.
§ Scan Parameters - Targeted datapoint or configuration setting (this is
what is collected during a scan).
§ Default Value - Evaluation expression and expected value for each control
technology (this determines PASS/FAIL results).

33 Qualys, Inc. Corporate Presentation

 Scan Parameters

§ The Scan Parameters specify the datapoint this control is targeting (File path,
Directory path, Registry key, Registry value, Group name, Share user, Path user,
Query etc...).
§ Data Type (Return value of control: Boolean, Integer, String, String List, Line List).

34 Qualys, Inc. Corporate Presentation

 Default Value

2 = Automatic, 3 = Manual, 4 = Disabled

§ Rationale (Explain the reasoning or logic for the assessment)
§ Default Value (Expected value of the collected datapoint)

35 Qualys, Inc. Corporate Presentation

 Unix Control Types

36
 Lab Tutorials 3 and 4

• File Content Check UDC (page 9)

• File Integrity Check UDC (page 10)

15 min.

37 Qualys, Inc. Corporate Presentation

Windows Control Types

38
 Lab Tutorials 5 and 6

• Registry Value Content Check UDC (page 12)

• WMI Query Check UDC (page 13)

15 min.

39 Qualys, Inc. Corporate Presentation

 Database Control Types

40
 Compliance Scanning

41 Qualys, Inc. Corporate Presentation

 Path To Compliance
1. Data points are defined
within each CID in the
Control Library.
Qualys Control
Library (CIDs) 2. Compliance scan collects
ACTUAL “data points” from
target hosts.

3. Qualys Policy specifies the

EXPECTED values for all
host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED)
4. Policy Report compares
actual to expected values,
producing PASS/FAIL
status

Policy Report Exceptions 5. Interactive Reports are

(PASS/FAIL) used to request exceptions
for FAILED controls

42 Qualys, Inc. Corporate Presentation

Policy Compliance and SCA Sensors

Remote Users
LAN 2 • AWS
• Azure
• Google

LAN 1 DMZ

Qualys Cloud Platform

 Qualys Cloud Agent

44 Qualys, Inc. Corporate Presentation

 Cloud Agent Overview

§ Qualys Cloud Agent installs as a local SYSTEM service.

§ Qualys Cloud Agent serves as a “data collector” -- collected data
and metadata is sent to the Qualys Cloud Platform for testing.
§ Most data transmissions from the agent to the Qualys Cloud
Platform, focus on host changes (deltas) and do not include data
already sent.
§ Network filtering devices have less impact on agent data
transmissions (i.e., outbound tcp/443).

45 Qualys, Inc. Corporate Presentation

 Agent OS Support

• Qualys Cloud Agent supports multiple operating systems.

46 Qualys, Inc. Corporate Presentation

 Agent Scan Interval

• Qualys Cloud Agent

performs compliance
scans at regular
frequencies for the
Policy Compliance
(PC) and Security
Configuration
Assessment (SCA)
applications.

47 Qualys, Inc. Corporate Presentation

 Activate Middleware Assessment

§ Add Middleware manifest to PC/SCA agents, as soon as middleware technologies

are detected.
§ Enable for all PC/SCA agents from: Assets > Setup > Middleware Assessment.

48 Qualys, Inc. Corporate Presentation

 Middleware Technology Found

§ Agent supported Middleware technology instances are automatically discovered, even if

they’re located in non-default directories or folders.
§ Data is retrieved from HKU registry hive, to detect application instances (such as Chrome
or Firefox) belonging to multiple user profiles.

49 Qualys, Inc. Corporate Presentation

 Qualys Scanner Appliance

50 Qualys, Inc. Corporate Presentation

 Scan Components
Scan
(On-Demand or Scheduled)

Scanner
Compliance Profile Assets
appliance

Scan Preferences Groups

Authentication
Tags
(required)

IP addresses

51 Qualys, Inc. Corporate Presentation

 Compliance Profile

52 Qualys, Inc. Corporate Presentation

 Performance

§ High – Optimized for networks with

abundant bandwidth.
§ Normal - Recommended as best
practice. Well balanced between
bandwidth usage and performance.
§ Low - Optimized for low bandwidth
network connections.

53 Qualys, Inc. Corporate Presentation

 Scan Restriction - Scan by Policy

• Restrict scans to only those controls contained in the policy(s) you specify.
• “Scan by Policy” is required by Qualys Security Configuration Assessment
(SCA).

54 Qualys, Inc. Corporate Presentation

 Set Limits On Database Control Types

§ Set a limit on the number of rows

to be returned per scan for:

• MS SQL Database
checks
• Oracle Database
checks
• Sybase Database
checks

55 Qualys, Inc. Corporate Presentation

 Control Types

§ Select these control types for UDCs that perform file integrity monitoring or WMI
queries.
§ If using the “Scan by Policy” option, the need for these control types will be determined
by the CIDs in the targeted policy(s).

56 Qualys, Inc. Corporate Presentation

 Auto Update Expected Value

• When enabled, an integrity check control’s EXPECTED value will be

automatically updated with the ACTUAL value returned by the most
recent scan.
• Integrity Check Controls must be configured with “Use scan data as
expected value”.

57 Qualys, Inc. Corporate Presentation

 Dissolvable Agent for Windows

§ Some Windows checks require the Dissolvable Agent.

§ Temporary agent ”dissolves” when the task completes.
§ If using the “Scan by Policy” option, the need for a Dissolvable Agent will be determined by
the CIDs in the targeted policy(s).

58 Qualys, Inc. Corporate Presentation

 Ports

§ Because authentication is required, a “Targeted Scan” is effective using a smaller list of

ports than the “Standard Scan” option and is the recommended setting.

59 Qualys, Inc. Corporate Presentation

 System Authentication Records
Instance Discovery

§ Run scans to
automatically discover
running technology
instances and create
their System
Authentication Records.
§ Use the system
generated records to
perform compliance
scans and assess these
technologies on targeted
hosts.
§ See Qualys PCSBP
Training course for more
information .

60 Qualys, Inc. Corporate Presentation

 SCA Scanning
Options
§ Compliance Profiles in
Qualys Security
Configuration Assessment
(SCA), have four basic
scanning options:
1. Performance
2. Scan Restriction
3. Dissolvable Agent
4. Ports

Qualys, Inc. Corporate Presentation

 LAB Tutorial 7

Compliance Profile

10 min. (page 16)

62 Qualys, Inc. Corporate Presentation

 Session Break

30 min.

63 Qualys, Inc. Corporate Presentation

 Authentication

64 Qualys, Inc. Corporate Presentation

 Authentication is Required

• Compliance scans must be performed in “authenticated” mode. By

default, Qualys Cloud Agent has SYSTEM level privileges on its
host.
• If authentication fails for any host, the Qualys Scanner Appliance
will move to the next target.
• For Windows hosts that do not provide Remote Registry Service,
perform scans with the Dissolvable Agent enabled.
• While Qualys Cloud Agent (by default) has SYSTEM level access to
its host, it does not possess application-level credentials (e.g.,
databases, Web servers, middleware applications, etc...)

65 Qualys, Inc. Corporate Presentation

 Windows Authentication Security

66 Qualys, Inc. Corporate Presentation

 Unix Authentication Security

§ Root Delegation

§ Private Key/Certificate

67 Qualys, Inc. Corporate Presentation

 Authentication Vaults

• In large organizations where thousands of machines are

scanned regularly managing passwords is a challenge

• Some organizations are reluctant to let their credentials

leave the network

• Qualys integrates with multiple third-party password

vaults for secure authentication

• Each Vault solution has its own set of configuration

requirements

68 Qualys, Inc. Corporate Presentation

 Vault Integration: How it works
1. User launches a
trusted scan from the
Qualys Cloud Qualys SOC.

2. The scanner appliance

get the credentials
from the Vault.
1 4
Vault Server
2 3. The scanner appliance
Scanner
scans the target using
the credentials
3

4. Scan results are

exported to the Qualys
SOC.
Target Host

69 Qualys, Inc. Corporate Presentation

 Scan Results

70 Qualys, Inc. Corporate Presentation

 Launch Compliance Scan

§ Verify authentication
records prior to launching
compliance scans.
§ All scans include:
1. Scan Title
2. Compliance Profile
3. Scanner Appliance
4. Target Hosts
§ Asset Groups
§ IP Address Range
§ Asset Tags

BEST PRACTICE: Schedule

Scans to run daily, weekly, or
monthly.

71 Qualys, Inc. Corporate Presentation

 LAB Tutorial 8

Launch Compliance Scan

10 min. (page 18)

72 Qualys, Inc. Corporate Presentation

 Scan Results – Authentication Issues
If scan results show insufficient privileges, it implies that Qualys scanning account
was not able to access data needed to perform one or more compliance assessment
tests.

73 Qualys, Inc. Corporate Presentation

 Scan Results - Application Technologies Found

74 Qualys, Inc. Corporate Presentation

 Policies

75 Qualys, Inc. Corporate Presentation

 Path To Compliance 1. Data points are defined
within each CID in the
Control Library.

Qualys Control
Library (CIDs) 2. Compliance scan collects
ACTUAL “data points” from
target hosts.

3. Qualys Policy specifies the

EXPECTED values for all
host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED) 4. Policy Report compares
actual to expected values,
producing PASS/FAIL status

5. Interactive Reports are used

to request exceptions for
Policy Report Exceptions FAILED controls
(PASS/FAIL)

76 Qualys, Inc. Corporate Presentation

 Policy Creation Options

1 2 3 4

• Create New Policy from scratch

• Create New Policy using existing host
• Import Policy from Library*
• Import Policy from XML file
*Security Configuration Assessment (SCA) only uses “Import Policy from Library.”
77
 Required Policy Components

1. All policies must have one or more

technologies:
• Operating System
• Service/Application

2. Add SDCs and/or UDCs to a policy, from the

Control Library or other policies.
3. Add hosts to a policy to define its scope:
• Asset Groups
• Asset Tags

78
 Import Policy from Library

• Security Configuration Assessment (SCA) provides over 400 CIS Benchmark Policies.
79 Qualys, Inc. Corporate Presentation
 LAB Tutorial 9

Import Policy From Library

10 min. (page 22)

80 Qualys, Inc. Corporate Presentation

 Policy Scope

• While imported policies already include technologies and controls, you still need to
provide the Asset Groups or Asset Tags, to define the Policy Scope.

81 Qualys, Inc. Corporate Presentation

 Create Policy From Existing Host

82 Qualys, Inc. Corporate Presentation

 XML Export / Import
• Polices can be exported and then reimported to and from XML files (CSV
format is only supported for exports).

** The “Policy Compliance Strategies & Best Practices Self-Paced Training Course,” provides
extra details (including lab tutorials) for exporting and importing policies (qualys.com/learning).

83 Qualys, Inc. Corporate Presentation

 Create Empty Policy

§ Add technologies, assets, and controls.

84 Qualys, Inc. Corporate Presentation

 LAB Tutorial 10

Create Empty Policy

10 min. (page 24)

85 Qualys, Inc. Corporate Presentation

 Add vs. Copy Controls

§ Add controls directly from the Control Library.

§ Added controls will reflect the default values (found in the Control Library)
§ Controls added from the Control Library often require adjustments or tuning.

§ Copy controls from other policies.

§ Copied controls will reflect the expected values (from the origin policy).
§ Controls copied from existing policies are commonly tuned for specific
frameworks, regulations, mandates, standards, or benchmarks.

86 Qualys, Inc. Corporate Presentation

 Controls with Cardinality
Data Type: String List or Regex List

§ Compares a list of actual values collected from a host (X), to a list of expected values
within the control (Y).

CARDINALITY YOU ARE COMPLIANT WHEN

contains X contains all of Y

does not contain X does not contain any of Y

matches All strings in X match all strings in Y (any order)

is contained in All strings in X are contained in Y

intersect Any string in X matches any strings in Y

§ X (Actual) = List of values returned by a scan or agent.

§ Y (Expected) = List of values defined by a control.

87 Qualys, Inc. Corporate Presentation

 String List Cardinality Example

§ contains:
§ does not contain:

§ matches:

§ is contained in:

§ intersect:

88 Qualys, Inc. Corporate Presentation

 Test & Evaluate Controls

• From the Policy Editor,

adjust a control’s
cardinality, data type,
expected value, or IP
address and click the
“Evaluate” button.
• Best Practice: adjust or
tune the default values
of controls added from
the Control Library

89 Qualys, Inc. Corporate Presentation

 Compliance Reports

90 Qualys, Inc. Corporate Presentation

 Path To Compliance 1. Data points are defined
within each CID in the
Control Library.

Qualys Control
Library (CIDs) 2. Compliance scan collects
ACTUAL “data points” from
target hosts.

3. Qualys Policy specifies the

EXPECTED values for all
host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED) 4. Policy Report compares
actual to expected values,
producing PASS/FAIL status

5. Interactive Reports are used

to request exceptions for
Policy Report Exceptions FAILED controls
(PASS/FAIL)

91 Qualys, Inc. Corporate Presentation

 Policy Compliance Reports

• Security Configuration Assessment (SCA) provides the “Authentication” and “Policy” reports.

92 Qualys, Inc. Corporate Presentation

 Policy Compliance Strategies & Best Practices
Training Course

§ For details on “Mandate Based” and “DISA STIG Based” reports, enroll in the “Policy
Compliance Strategies & Best Practices Self-Paced Training” course (qualys.com/learning).

93 Qualys, Inc. Corporate Presentation

 Authentication Report

94 Qualys, Inc. Corporate Presentation

 LAB Tutorial 11

Authentication Report

10 min. (page 34)

95 Qualys, Inc. Corporate Presentation

 Policy Report

96 Qualys, Inc. Corporate Presentation

 LAB Tutorial 12

Create Policy Report

10 min. (page 36)

97 Qualys, Inc. Corporate Presentation

 Policy Report Source

Once a specific policy has been selected, only host assets defined within the Policy
Scope will be included in a Policy Report. Additional filtering options include:
§ All Assets in policy - Include all assets defined within the policy scope.
§ Select Asset Groups in policy – Include assets from one or more specific Asset Groups.
§ Select IPs in policy – Include one or more IP addresses.
§ Single Instance – Include one or more technology instances
§ Select Asset Tags – Include assets labeled with one or more specific Asset Tags.

98 Qualys, Inc. Corporate Presentation

 Unexpected Value and Missing Value for Failed Controls

§ The options to
highlight unexpected
and/or missing
values can be very
useful when
analyzing controls
with long lists of
values.
§ Controls with
“cardinality” operators
deal with such lists.

99 Qualys, Inc. Corporate Presentation

Certified Reports
Leave policy locked to maintain certification.
 Scorecard Report

• To help manage and asses your overall compliance activity and

efforts, compare multiple policies in a Scorecard Report.
101 Qualys, Inc. Corporate Presentation
 Distribute Scheduled Reports

102 Qualys, Inc. Corporate Presentation

 Interactive Report: Requesting Exceptions

103 Qualys, Inc. Corporate Presentation

 Exception Example

§ Policy: Reduce overall attack surface by removing vulnerable

protocols from all host assets (e.g., Telnet, FTP, TFTP, etc...)
§ Exception: Some legacy network devices still rely on Telnet, FTP,
and TFTP for configuration and administrative purposes.
§ Compensation: IPSEC encryption will be implemented on network
segments that have vulnerable protocol traffic, until legacy network
devices are upgraded or replaced.
§ Approved: An exception is granted to legacy network devices for 90
days. At the end of this period, remaining devices will return to FAIL
status.

104 Qualys, Inc. Corporate Presentation

 Interactive Report

• Use Interactive Reports to

requesting and managing
exceptions.
• Control Pass/Fail Report - Allows
the control you want to report on
• Individual Host Compliance –
Allows the host you want to report
on

• Security Configuration Assessment

(SCA) does not provide Interactive
Reports for requesting exceptions.

105 Qualys, Inc. Corporate Presentation

 Report Target

• Individual Host Compliance Report targets a specific IP address.

• Control Pass/Fail Report targets a specific control (CID).

106 Qualys, Inc. Corporate Presentation

 Request Exceptions for Failed Controls

107 Qualys, Inc. Corporate Presentation

 Request Exception

§ Requests are typically

assigned to the “Auditor”
account, for approval.
§ Requests can also be
assigned to other user
accounts, to collect
additional details or
comments.
§ Comments are required.

108 Qualys, Inc. Corporate Presentation

 LAB Tutorial 13

Requesting Exceptions

10 min. (page 38)

109 Qualys, Inc. Corporate Presentation

 Working with Exceptions

110 Qualys, Inc. Corporate Presentation

 Auditor Role

• Although the “Manager” user role is capable of approving/rejecting

exceptions, the “Auditor” role was designed specifically for this task.

111 Qualys, Inc. Corporate Presentation

 LAB Tutorial 14

Working with Exception Requests

10 min. (page 42)

112 Qualys, Inc. Corporate Presentation

 Edit Exceptions

• Edit an exception
request to approve,
reject or reassign.
• Comments are
required.

• Auditors may want to

exercise the option to
“reopen” an approved
request, if the collected
evidence ever changes
and the outcome
remains: FAIL.

113 Qualys, Inc. Corporate Presentation

 Passing with Exceptions

Approved
Exception

Expired
Approval

Pending
Action

Note the “E” above the “passed” Posture

114 Qualys, Inc. Corporate Presentation

 Recommended Best Practices

§ Schedule compliance scans and reports to run on a regular basis.

§ Run additional scans after adding controls to the Control Library.
§ Initially, focus on Failed controls with CRITICAL and URGENT
severity.
§ Controls that are failing pervasively, are also good mitigation targets.
§ Use Qualys API to share compliance data with third party
applications or GRC solutions.

115 Qualys, Inc. Corporate Presentation

 Policy Compliance Recommended Training Sequence

Visit qualys.com/learning to enroll.

116 Qualys, Inc. Corporate Presentation

 Policy Compliance Certification Exam

Participants in today’s training course have the option to take the Policy
Compliance Certification Exam:
§ 30 multiple choice questions.
§ Answer 75% of the questions correctly to receive a passing score.
§ Candidates will receive 5 attempts to pass the exam.
§ You may use the presentation slides and lab tutorial supplement to help you answer the
exam questions.
§ You may also use the “Help” menu (in the Qualys UI) to answer exam questions.

117 Qualys, Inc. Corporate Presentation

 Thank You

[email protected]

118 Qualys, Inc. Corporate Presentation