Creating A New Policy

 

You can create a new policy that defines policy checks for one or more products. To create a new policy, in the Policy & Compliance list click New Custom Policy. The Create A New Policy dialog box is displayed.

 

CreateNewPolicyGroup.gif

 

The dialog contains the following options:

 

Name

Type a descriptive name for the new policy.

 

Comment

Type a comment that describes the purpose of the policy.

 

Patch Groups

Enables you to select the group of patches you want the program to use when evaluating the Patch Management: Percent Patches Deployed policy check. This check is available within the following policy frameworks:

  • Category: Best Practices: Malicious Code Protection

  • NIST 800-53: CM-1 Configuration Management Policy and Procedures, CM-3 Configuration Change Control, SI-2 Flaw Remediation, and SI-3 Malicious Code Protection

  • PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security parameters to prevent misuse, and 6.3.1 Testing of all security patches and system and software configuration changes before deployment.

If the Patch Management: Percent Patches Deployed policy check is not used in the new policy, the Patch Groups option is simply ignored.

The selectable patch groups are defined within VMware vCenter Protect , a patch management product. If the VMware vCenter Protect database is unavailable then no patch groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database.

The default value is (all). This means that all patches are used when determining a value for the Patch Management: Percent Patches Deployed policy check (as opposed to requiring just the patches specified within a patch group).

Compliance information pertaining to the specified patch group is displayed in the scan results.

 

Signature Groups

Note: This option does not apply if you are using VMware vCenter Protect 7.0 or later.

Enables you to select the group of signatures you want the program to use when evaluating the Spyware Management: Percent Signatures Remediated policy check. This check is available within the following policy frameworks:

  • Category: Best Practices: Malicious Code Protection

  • NIST 800-53: SI-3 Malicious Code Protection

  • PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security parameters to prevent misuse

If the Spyware Management: Percent Signatures Remediated policy check is not used in the new policy, the Signature Groups option is simply ignored.

The selectable signature groups are defined within VMware vCenter Protect , a spyware management product. If the VMware vCenter Protect database is unavailable then no signature groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database.

The default value is (all). This means that all signatures are used when determining a value for the Spyware Management: Percent Signatures Remediated policy check (as opposed to requiring just the signatures specified within a signature group).

Compliance information pertaining to the specified signature group is displayed in the scan results.

 

Manually select checks

To create a new policy by manually picking and choosing the desired policy checks, select this option. The new policy will not contain any pre-defined policy checks.

 

Create from selected OS

To create a new policy that defines policy checks for a particular operating system, select this option.

 

Note: Although the policy will initially contain only policy checks for the specified operating system, you will be able to add policy checks for other operating systems if you wish.

  • Specific Service Pack: If you want to create a policy for a specific operating system service pack, enable this check box before selecting the desired operating system.

  • Operating System: Select the desired operating system. The new policy will be initially populated with all the available policy checks for the operating system you select.

  • Regulatory framework: If you want to create a policy that complies with a particular regulatory framework, select the desired framework. The new policy will be initially populated with all the available policy checks for the framework you select. The available frameworks are:

  • Categories: Contains all available policy checks. Each policy check maps to exactly one control.. This is the same as the default Recommended Baseline policy.

  • NIST 800-53: Used for assisting with Federal Information Security Management Act (FISMA) compliance. Contains all available policy checks. Each policy check maps to one or more controls within the Federal Information Security Management Act  (FISMA)

  • PCI DSS 1.1: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS).

  • PCI DSS 1.2: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS).

  • PCI DSS 2.0: Used for assisting with Payment Card Industry Data Security Standard (PCI DSS) compliance. Contains all policy checks. Each policy check maps to one or more controls within version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS).

 

From an existing machine

To create a new policy using an existing machine group, select this option and then select a machine group whose current policies closely resemble the policies you want to define in this new policy group. The new policy will be populated with the policy checks currently defined on the machine in that group; you can then simply refine the policy to suit your needs rather than manually configuring each check one at a time.

 

This mechanism is very powerful for creating a policy from a machine with a known security policy.  The created policy can then be used to very quickly assess compliance for a wide range of similarly functioning machines in the network.

 

Restriction: Only machine groups containing one machine are eligible for use with this method.

 

 

 

To save the policy click Save and the new policy is displayed. For example, a new custom policy that is defined manually would look similar to the following figure:

 

CustomPolicyBlank.png

 

 

For information on configuring the new policy, see Configuring A Policy.