Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Manage continuous monitoring between Configuration Compliance and Policy and Compliance Management

Log in to subscribe to topics and get notified when content changes.

Manage continuous monitoring between Configuration Compliance and Policy and Compliance Management

Continuous monitoring is a feature integration between the GRC: Policy and Compliance Management product and the Security Operations Configuration Compliance products. This feature integrates the scan results from third-party applications, like Qualys to determine the compliance status for each associated control.

Continuous monitoring is a pro-active security management approach. Customers monitor and validate compliance and manage risks against authority documents.

Continuous monitoring workflow

  1. The system admin activates the Configuration Compliance and Policy and Compliance Management plugins.
  2. The compliance manager maps policy statements or controls to configuration tests, which generate controls, profiles, and indicators related to those configuration tests.
  3. The integration ingests the results of the third-party configuration test scan results at defined intervals.
  4. If the configuration test scan results of the configuration tests indicate a failure, then the control is non-compliant and an issue is automatically generated.
  5. If the next scan results of the configuration tests indicates that the failure has been remediated, then the control is compliant and the issue is automatically closed.

Map policy statements or controls to configuration tests

The compliance manager maps policy statements or controls to the configuration tests, which generate the controls, profiles, and indicators associated with configuration compliance.

Before you begin

Role required: compliance manager

The Configuration Compliance plugin must be activated to access this feature and the sn_compliance.auto_create_profile_and_control property must be set to true

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the policy record, click the Policy Statement related list, and click Edit.
    Note: The Password Policy is used in this example.
  3. Select each policy statement to associate to the policy.
    shows list of related policy statements on the Password Policy
  4. Open a policy statement, and click the Citations related list to view the authority document citation that is associated to this policy statement.
    Note: The Configure the maximum password age. policy statement is used in this example.
    shows list of related citations on the policy statement, Configure the minimum password age.
  5. Click the Configuration Tests related list and select one of the following add options:
    • Click Add
    • Click Add from Policies
    • Click Add from Authoritative Sources
    shows list of three associated configuration tests
    Note: The Source field for each configuration test identifies the third-party provider of the information.
  6. After selection, click Add.
    shows information message at the top of the form saying The compliance items are being updates, this may take up to a few minutes.
    All the configuration items (controls, profiles, and indicators) are mapped and displayed on the Configuration Tests related list. This make take a few minutes as the results are generated.

Interpret configuration compliance scan results

If the configuration test scan results of the control indicates any failures, the control is marked non-compliant. If the scan results indicate the control passed all the configuration tests, then the control is marked compliant.

Before you begin

Role required: compliance manager

The Configuration Compliance plugin must be activated to access this feature and the sn_compliance.auto_create_profile_and_control property must be set to true

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policy Statements.
    Note: The Configure the maximum password age. policy statement is used in this example.
  2. Open the policy statement record and click the Controls related list.
    screen results show 11 controls all non-compliant with associated profiles
    Eleven controls were generated from the configuration compliance test scan. Each control has an associated Profile and because all the controls show a Status of Non Compliant, an equal number of issues have been automatically generated.
  3. Open a control record, and click the Indicator related list.
    screen shows a control record and the Indicators related list
  4. Open the indicator record to see the indicator results.
    The screen shows the indicator result of the configuration test regarding the Configuration of the mimimum password age. Under the Passed column it days "false" indicating a failure.

  5. The configuration test scan results are updated at regular intervals. If the scan results indicate that the failure has been remediated, then the control is marked compliant and the issue is automatically closed.
Feedback