Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

•   Compliance Management
  •   Audit and Report Compliance

Details

IBM® Tivoli® Security Compliance Manager provides organizations with the ability to audit compliance of the IT systems after development and deployment of IT security controls. Refer to tool mentor "How to implement compliance controls using Security Compliance Manager" for information on developing and deploying security controls with Tivoli Security Compliance Manager. As soon as corporate security controls are deployed using Tivoli Security Compliance Manager it is extremely easy to audit these systems for compliance through the use of snapshots and reports.

Tivoli Security Compliance Manager Snapshots are the basic reporting components of Tivoli Security Compliance Manager. Each snapshot represents and contains the current compliance state of IT systems with respect to all of the compliance queries in the referenced policy. From snapshots, users can also generate both non-graphical reports from the Tivoli Security Compliance Manager administration console and graphical reports using integration with Crystal Enterprise Server 9. User-defined reports can also be generated using the administration console through the use of SQL to define report queries. These reports can be scheduled to run and sent to user-configured e-mail addresses periodically to allow for more automation of reports. Furthermore, users can also create additional report templates in CES9 for additional graphical reports as needed.

An example of how to use Tivoli Security Compliance Manager to audit compliance is outlined below. Users should find it very easy to perform this task as soon as security controls are developed and deployed to the IT systems using Tivoli Security Compliance Manager. For more detail on snapshots, compliance queries and reports, refer to the Tivoli Security Compliance Manager Administration Guide located on the IBM Web site in the Tivoli Information Center at http://publib.boulder.ibm.com/infocenter/tivihelp/index.jsp.

• Develop and deploy corporate security controls using Tivoli Security Compliance Manager policies, collectors, groups, and compliance queries.
• Regularly create snapshots against the defined corporate security policies to view the compliance state of the various IT systems. If appropriate, create an administrative role for auditors who can only view snapshots and reports.
• Export the snapshots or reports to HTML files as audit data using the administration console or export graphical reports from CES9 as audit data.

Additionally, if snapshots are not specific enough for reporting purposes (note that snapshots check against all compliance queries within a policy) develop custom report queries and configure them to collect and send the compliance results to the appropriate administration. An example of when a snapshot might contain too much information would be when the defined security policy contains compliance items that are recommended but not critical. In such a case, a specific report with the business critical requirements should be generated to provide more focused compliance audit and reporting. It might also be useful to develop additional graphical report templates in CES9 as specific needs arise.

For More Information

For more information about this tool, click on the link for this tool at the top of this page.