Back to qualys.com

Qualys Policy Compliance Notification: Policy Library Update

Policy LibraryQualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

  • New CIS policies for Internet Explorer and Chrome on Windows, Apache Tomcat, RHEL, Windows 10, Sybase ASE, and MongoDB
  • New DISA STIG policies for Internet Explorer 10 and 11
  • New Best Practice & Mandate Policies for SAP ASE 16 and HiTRUST CSF on Linux
  • Several updates to existing library policies

New CIS Benchmarks

CIS Benchmarks are developed through consensus, providing an industry recognized collection of best practice controls. Qualys is committed to broad coverage of the CIS Benchmarks and regularly releases certified policies as well as contributing to the development of new benchmarks through the CIS Community.

Qualys’ Certification Page at CIS has been updated.

Recent additions to the policy library include the following certified CIS Benchmarks:

  • CIS Benchmark for Apache Tomcat 8.x, v1.0.1
  • CIS Benchmark for Google Chrome, v1.2.0
  • CIS Benchmark for Microsoft Internet Explorer 10, v1.1.0
  • CIS Benchmark for Microsoft Internet Explorer 11, v1.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1703), v1.3.0
  • CIS Benchmark for MongoDB 3.4, v1.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 5, v2.2.0
  • CIS Benchmark for Sybase ASE 15.0 Benchmark v1.1.0

Also note, several policies in this release show up under the New label in the policy import tool. This is due to publishing existing variations of existing CIS Benchmarks with Level 1 and Level 2 controls broken out into separate policies.

New DISA STIG Guidelines:

  • DISA STIG Policy for Internet Explorer 10, V1R15
  • DISA STIG Policy for Internet Explorer 11, V1R12

New Best Practices, Mandate-Based, and Vendor Recommended Policies

  • HITRUST Cyber Security Framework for Linux, version 8.1
  • Security Configuration and Compliance Policy for SAP ASE 16.0

Updated Library Policies

  • Update existing content to the latest CIS Benchmark version
    • CIS Benchmark for Microsoft SQL Server 2008 R2, v1.5.0
  • Control configuration updates to exclude built-in users and roles in evaluation in some controls
    • CIS Benchmark for Oracle Database 11gR2 for Unix and Linux, v2.0.0
    • CIS Benchmark for Oracle Database 11gR2 for Microsoft Windows, v2.0.0
    • CIS Benchmark for Oracle Database Server 11-11g R2, v1.0.0
    • CIS Oracle Database 12c Benchmark for Unix and Linux, v1.2.0
    • CIS Oracle Database 12c Benchmark for Microsoft Windows, v1.2.0
  • Fixes to existing controls
    • PCI-DSS (Payment Card Industry Data Security Standard) v3.0
    • Health Insurance Portability and Accountability (HIPAA) – Security Rule Standards and Implementation Specifications
    • CIS Benchmark for HP-UX 11i, v1.5.0
    • Abu Dhabi Systems and Information Centre – Information Security Standards (Abu Dhabi Government) Version 2.0
    • CIS Benchmark for IBM AIX 6.1, v1.1.0
    • CIS Benchmark for IBM AIX 7.1, v1.1.0

Coming Next Month

The following policies and updates are currently planned for release to the policy library next month:

New Policies:

  • CIS Benchmark for Microsoft Windows 10 Enterprise Release 1607
  • CIS Benchmark for CIS for Palo Alto Firewall, v1.0.0
  • HITRUST Cyber Security Framework for Network Devices, version 8.1
  • HITRUST Cyber Security Framework for VMware, version 8.1
  • Security Configuration and Compliance Policy for Adobe Common Controls Framework

Updates:

  • CIS Benchmark for Oracle Database Server 11g R2 v2.2.0
  • CIS Benchmark for Oracle 12c Database Server v2.0.0
  • DISA STIG Policy for RHEL 6 V1R15
  • DISA STIG Policy for RHEL 7 V1R1

If you have any questions, please contact your TAM or Technical Support.  See all library updates.

Leave a Reply