Policy Compliance


Account & Application Setup (LAB 1)

Policy Overview and Control Library
User Defined Controls (LAB 2)
Compliance Scanning (LAB 3)
Policies (LAB 4)
Compliance Reports (LAB 5)
Security Assessment Questionnaire (LAB 6)
Policy Compliance Overview

Compliance Coverage

Policy Compliance
Define, Audit and Document IT Security Compliance

• Automate the assessment of thousands of technical controls

• Controls are define in the Qualys Control Library.

Qualys Policy Compliance

• Provides proof of compliance across multiple compliance

frameworks and initiatives.

• Documents evidence where the organization has discovered and

fixed lapses.

• Helps to configure and secure host systems, to guard against

internal and external threats

Compliance Hierarchy - a “Top – Down” Approach
Simple Compliance Framework

Framework Level Regulations SOX CobiT PCI


Policies & “Example: Vulnerable

Business Processes must be
Requirements eliminated..”

Standards, Procedures and

and Guidelines
Guidelines Detail
AIX 5.x Technology Telnet
streams are transmitted in clear CID 1130
text, including usernames and
The telnet
passwords. The entire session is
Detailed Technical Controls susceptible to interception by daemon
shall be
Threat Agents.

SCAP Support
• Import policies from the
Qualys SCAP policy
• Upload your own
custom SCAP policies.
• Perform SCAP scans to
check compliance
against SCAP 1.0, 1.1,
and 1.2.

Application and Account Setup

Path To Compliance 1. Data points are defined
within each CID in the
Control Library.

Qualys Control 2. Compliance scan collects

Library (CIDs) ACTUAL “data points”
from target hosts.

3. Qualys Policy specifies

the EXPECTED values for
all host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED) 4. Policy Report compares
actual to expected
values, producing
PASS/FAIL status

Exceptions 5. Interactive Reports are

Policy Report
used to request
exceptions for FAILED

Policy Compliance Setup

1. Create Users

2. Add Hosts to Subscription

3. Build Asset Groups

4. Scan Hosts

5. Create Qualys Policy

6. Generate Policy Report

7. Request Exceptions
Add Hosts to Policy Compliance

Basic User Roles

Least privileged Most privileged

Reader Scanner Unit Manager Manager

Readers can Scanners can Management of Management

run reports. launch maps assigned authority for the
and scans, and business unit. subscription
run reports.

Search the online help for “User Roles Comparison” for a complete list.

Auditor User Role

• Responsible for handling exceptions

• Create policies, controls and reports

• Cannot run Compliance scans or join Business Unit.

Default Access

• Only Managers and Auditors have “default” access to Policy Compliance.

• Unit Managers, Scanners, and Readers must be granted “extended”
permissions to access Policy Compliance.

Managing Assets
• Asset Group, and Asset Tags – can define the “Scope” of a Policy

Matching Tags created

for each Group

Asset Group Setup

• Logical grouping based on importance, location, and ownership

Asset Groups for Scanning

Asset Groups for defining a Policy*

* Recommended to create specific asset groups for your Compliance hosts

Lab 1

Account and Application Setup

Control Library & User Defined Controls (UDC)

Control Library

User Define Controls
Windows Controls Unix Controls

User Define Controls

Why have them?

Custom applications that require compliance audits.
Systems use filenames / locations other than default settings.
Determine if specific service packs are installed.
What happens if I write a duplicate UDC?
The system will present an error.
How do we write them?
Requires an understanding of the requirements and a technical
understanding of the system.

Usually the auditor and the SysAdmin must be involved

Lab 2

User Defined Controls

Compliance Scanning

Qualys Cloud Platform

Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google


Qualys Cloud Platform

Cloud Agent Benefits

1. Qualys agent installs as a local system service.

2. Agent serves as a “data collector” – All vulnerability testing is
performed in the Qualys cloud.
3. Changes (deltas) are detected and sent to the Qualys platform.
4. Remote registry access is NOT required.
5. Authentication record is NOT required.
6. Firewall configuration changes are NOT required.
7. Cloud Agent is NOT a replacement for a PCI scan.

Scan Configuration
(On-Demand or Scheduled)

Compliance Profile Assets

Scan Preferences Groups


IP addresses

26 Qualys, Inc. Corporate Presentation

Compliance Scanning Options

Compliance Scan Workflow

• Validates that the hosts are “ALIVE”

Host Discovery

• Host authentication, provides for accurate OS

detection. If authentication fails, the scan
Authentication processing stops.

• The service scan to gather data points to use

Compliance during compliance assessment

Scan Results – Authentication Issues

Unit Root Delegation
• Sudo
• PowerBroker
• Pimsu

Authentication Vaults
• In large organizations where thousands of machines are scanned
regularly managing passwords is a challenge.
• Some organizations are reluctant to let their credentials leave the

Vault Integration: How it works
1. User launches a
trusted scan from the
Qualys SOC.

2. The Scanner Appliance

(SA) get the
credentials from the

3. The SA scans the

target using the
credentials (Windows
and Unix).

4. Scan results are

exported to the Qualys

Authentication Best Practices
• Configure your
Compliance Compliance profile

Set-up • Be sure you have Authentications

Authentication Record(s) setup

• Scan your hosts and verify the scan

Scan Hosts finished processing

Verify • Run an Authentication Report

Authentication to view Scan Results

Lab 3

Compliance Scanning

Policy Creation Options

• Create New Policy from scratch

• Create New Policy using existing host
• Import Policy from Policy Library
• Import Policy from XML file
Create Empty Policy POLICY

1. Select a technology for Technology
you policy

• Operating System

Web Server
2. Add controls to policy

3. Assign host assets to

the policy
Add Hosts

Create Policy From Existing Host

39 Qualys, Inc. Corporate Presentation

Import Policy from Library

XML Export / Import
• Download a Policy (share that policy)
• Import another policy from a file or from library

For exceptionally large Policies (e.g. those created with Golden Image), you can Export (download) and
edit in bulk, and then Import (upload) the edited Policy.
Cardinality of Controls
• Compares the “data point” collected during a scan, to the
control’s expected value.


contains X contains all of Y
does not contains X does not contain any of Y
matches All strings in X match all strings in Y (listed
in any order)
intersects Any string in X matches any strings in Y
is contained in All strings in X are contained in Y

Cardinality of Controls : contains

• X contains all of Y
Cardinality of Controls : intersects

• Any string in X matches any string in Y

Cardinality of Controls : does not contain

• X does not contain any of Y

Cardinality of Controls : matches

• All strings in X match all strings in Y (any order)

Cardinality of Controls : is contained in

• All strings in X are contained in Y

Testing Regular Expressions
Lab 4

Controls and Policies

Policy Compliance Reports
Authentication Report
Policy Report

• Policy Report
includes compliance
status with a
specific policy

• The report lists the

hosts assigned to
the policy with the
controls tested

• Results are shown

as a passed/failed
Certified Reports
Scheduled Reports Setup
Requesting Exceptions

1. Request exceptions.
2. Review exceptions.
3. Accept/Reject exceptions.
4. View exception history.

Exceptions can only be requested via Interactive Reports

Interactive Reports

• Individual Host Compliance Report identifies the compliance status for

a particular host.
• Control Pass/Fail Report identifies the compliance status for a
particular control.
Exception Report Options

Check the Status options for: Passed, Failed, and Error.

Exception Request

Exceptions Tab

• Exceptions are created through the interactive report.

• An Auditor will click on “Edit” to open the ticket.
Exceptions End Date

• Set a time limit on an exception.

• Regardless of action, comments

are required.
Passing with Exceptions

Note the “E” above the “passed” Posture

Example of Exceptions

• Requirement: FTP, or any form thereof should not be enabled on

any external facing device.
Reality: The support team must have FTP enabled to allow customers to send files
larger than 5Mb when their email will not allow such attachments.

• Requirement: All workstations must have the latest service packed

Reality: You are in the midst of an upgrade and it will take 30 days to have all
systems tested and updated.

Exceptions – The Reality

• Exceptions address sensitive business issues:

• Changing the corporate stance on password length.
• Allowing FTP on certain machines but not others.

• Changes to policies and controls should go through the normal

chain of command:
• Business owners and auditors should approve and adjustments or modifications
to policies and controls.

• Do not make adjustments within the Policy Compliance module without

appropriate approval and documentation.

Compliance Best Practices

• At first, focus on controls with CRITICAL and URGENT severity.

• Use the Qualys API to share compliance data with third party
applications or GRC solutions.
• AUTOMATE, schedule compliance scans and reports to run on a
regular basis, automatically.

Compliance Best Practices

• How many audits do we need a year?

Continual auditing will allow you to take very consistent, repeatable measurements
or your environment.

• What is the fastest way to get to compliance?

User Qualys to schedule compliance scans and reports on a regular basis.

Lab 5

Compliance Report

Security Assessment Questionnaire

Security Assessment Questionnaire
Cloud-Based Questionnaires

Visually design questionnaires

Assign assessment leveraging embedded
Intuitive Responding
Track using an operational dashboard
Review answers and evidences
Use Case:
Vendor Risk Assessment Assess cyber security controls of vendors &
• Gather Evidence
• Review answers
• Take corrective actions

• How: Classification Questionnaire, Risk
Assessment questionnaires
• Who: Vendor Contact, Vendor Manager, Risk
• What: Critical Assets, Processes, Business
Unit, Applications Vendors

² Centrally manage Vendor Risk Assessment, through an online portal

Use Case:
Internal Audit/Risk Assessment
Assess compliance of
in-scope assets or entities
• Verify relevant controls are in place
• Gather Evidence
• Review answers

• How: Self Assessment questionnaires
• Who: Asset Owner, Compliance/Risk
• What: In Scope Assets, Processes,
Business Unit, Applications Vendors

² Centrally manage compliance effort and compliance artifacts

SAQ Users

Contains the users who will be participating in the campaign

SAQ Template

• Defines the questions you want to ask and the structure of your
• A question may include requirements for evidence, comments and
• Create a Template:
• Build from scratch—Blank Template
• Import from Qualys Template Library
• Import from XML file

SAQ Campaign
• Contains a Questionnaire and identifies Campaign participants:

• Recipient – Responsible for answering questions.

• Reviewer – Reviews answers submitted by recipient.
• Approver – Provides final approval of specific questions.

Campaign Workflow

• Simple – 2 Stage
• Reviewable – 3 Stage
• Full – 4 Stage
1. Recipient receives invitation to complete questionnaire.
2. Recipients submit answers.
3. Answers are reviewed.
4. Answers are reviewed and approved.

Lab 6

Security Assessment Questionnaire

Exam Tips and CPE

• You have five attempts to pass

• The test is linear, no going back to an older question
• Passing score: 75% and above
• No negative marking
• Test can be taken anytime
• 30 questions (Multiple choice included)
• You may use presentation slides, lab exercises, Qualys Community,
and you may have an active Qualys session open while attempting
the exam.
• No set time limit (please start a new LMS session, before launching
the exam.
• A CPE credit is earned for each hour of attendance.

Thank You

[email protected]

