Tool Mentor: SCM - Implement Compliance Controls
TM009 - How to Implement Compliance Controls Using Security Compliance Manager
Tool: IBM Tivoli Security Compliance Manager
Relationships
Main Description

Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

Details

IBM® Tivoli® Security Compliance Manager is designed to help organizations develop and deploy IT corporate security controls. Through an extensible data collection mechanism, powerful policy definitions, and extensive client management functionality, Security Compliance Manager provides organizations with the ability to easily develop and deploy corporate security controls across a multitude of IT assets.

Tivoli Security Compliance Manager Policy objects provide the powerful basis for development and deployment of IT security controls. They define the specific corporate compliance controls by associating collectors that gather the compliance information, the schedules that these collectors run on, and the queries that determine whether a system is compliant. SCM policies are stored centrally on the SCM server and can be easily associated with groups of clients for security compliance data gathering and enforcement.

The Tivoli Security Compliance Manager server-client architecture also enhances its ability to deploy corporate security controls across various systems. In particular, the ability to logically group clients makes it extremely easy to manage and maintain security policies. This feature allows users to partition corporate assets so that different security policies can be applied to them. It provides a flexible, powerful and simple method for managing and maintaining security controls that apply to various sets of corporate assets.

The Tivoli Security Compliance Manager collector is another key component that helps organizations develop and deploy security controls within their IT environment. Collectors are self-contained, easy to develop, 100% Java™ components that gather a specific set of data on a client. They provide the extensive set of security data that is required for defining and implementing corporate security controls. Like Tivoli Security Compliance Manager policies, they can be easily updated, maintained and deployed to Tivoli Security Compliance Manager clients because they are stored centrally on the Tivoli Security Compliance Manager server. Working in conjunction with policies and compliance objects, collectors provide the ability for users to quickly develop and deploy complex compliance controls to the corporate environment.

An example of how to use Tivoli Security Compliance Manager to implement compliance controls is outlined here. Instructions on how to interact with and use Tivoli Security Compliance Manager objects to achieve this use can be found in the Tivoli Security Compliance Manager Administration Guide

  • Register corporate clients and create the appropriate client groups. Some common methods for logically associating clients are by operating system, by owning department, by region, or asset classification (whether it is a critical system, whether it is a public system, etc.)
  • Define corporate security policies with Tivoli Security Compliance Manager that provide and guarantee the required standard of security on these assets. For example, a Windows XP® policy that requires systems running Windows XP OS to have service pack 1 installed; certain OS level hot fixes installed; an antivirus application installed, running and scanning on a weekly schedule; and a running software firewall with the appropriate network rule set.
  • Add these to the appropriate Tivoli Security Compliance Manager client group where they can be set up to gather security compliance information on a regular basis.
  • Update and deploy Tivoli Security Compliance Manager policies, collectors, and compliance objects as new vulnerabilities and additional security checks are required on the corporate assets. IBM Global Services provides a newly announced vulnerability index where daily vulnerability updates can be added to a corporate Tivoli Security Compliance Manager security and compliance deployment.

Develop additional collectors and deploy them into an IT environment using temporary policies and client groups to collect sample data that is not necessarily directly related to corporate security policies. For example, develop a collector to count system access attempts and deploy it for a finite amount of time on critical servers to see when they might be vulnerable to increase network load or even potentially detect irregular access patterns. If appropriate, add these collectors to the base corporate security policy.

For More Information

For more information about this tool, click on the link for this tool at the top of this page.