Customize the regulatory compliance report

AFA provides regulatory compliance reports for a variety of regulatory compliance standards. These reports can be accessed from the Regulatory Compliance report page of each AFA report.

Remove and add compliance reports

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Compliance tab.

    The Compliance page appears, displaying the Risk Profiles sub-tab.

  4. Click the Compliance Options sub-tab.

  5. Next to Regulatory compliance reports to be included in the device analysis, click Select.

    The Regulatory Compliance Reports dialog box appears.

    For a description of each standard, see Supported regulatory compliance reports.

  6. To enable a report, select its check box.

  7. To disable a report, clear its check box.

  8. Click Save.

Note: When upgrading AFA, any newly supported reports are automatically enabled.

Back to top

Supported regulatory compliance reports

Standard

Description

US Centric

 

SOX

NERC CIP v3, v4, v5

 

Required for publicly traded companies on US markets.

Required for Power manufacturing and distribution, including Oil, Gas and Nuclear. The customer may choose to analyze against either v3, v4 or v5 of the NERC CIP standards, to evaluate readiness for future standard deadlines.

HIPAA

Required for protecting patient data in US healthcare companies.

NIST SP 800-53

Required by US DoD. This report uses the National Institute of Standards and Technology (NIST) Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4 (April 2013).

NIST SP 800-41

Required by US DoD. This report uses the National Institute of Standards and Technology (NIST) Guidelines on Firewalls and Firewall Policy, Revision 1 (Sep 2009).

GLBA

Consumer identity safety requirements for US companies.

Europe Centric

 

ISO/IEC 27001

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks.

Basel-II

This addresses the Basel Committee on Banking Supervision's framework International Convergence of Capital Measurement and Capital Standards (June 2006).

Global

 

PCI DSS 3.0

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

You can optionally indicate which servers are in your PCI zone. Specifying these servers enables AFA and AppViz to provide you with more specific security information for PCI applications. See Configure the PCI zone.

Australia Centric

 

ASD-ISM

Firewall configuration guidelines from Australian Government.

Japan Centric

 

J-SOX

Japanese version of SOX.

Singapore Centric

 

MAS-TRM

Guidelines for information security for Singapore operating banks, published by the government banking regulator.

Back to top

Customize the compliance score value

AFA reports' Regulatory Compliance page displays a compliance score which indicates the device's degree of compliance with each compliance report. AFA calculates the compliance score with the following formula:

Compliance score = (X1 + WX2)/(X1 + X2 + X3)

You can customize the compliance score value by changing the value of the "W" variable.

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Advanced Configuration tab.

    The Advanced Configuration tab appears.

  4. Click Add.

    The Add New Configuration Parameter dialog box appears.

  5. In the Name field, type Compliance_Score_Star_Weight.

  6. In the Value field, type the value you wish to assign to the "W" variable.

  7. Click OK.

  8. Click OK.

Back to top

Customize compliance score severity thresholds

AFA provides the ability to customize the compliance score severity thresholds.

By default, a bad score is 55% and below (red), a moderate score is between 55% and 70% (yellow), and a good score is 70% and above (green).

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Advanced Configuration tab.

    The Advanced Configuration tab appears.

  4. To adjust the threshold for a bad score, do the following:

    1. Click Add.

      The Add New Configuration Parameter dialog box appears.

    2. In the Name field, type Compliance_Score_Max_Red.

    3. In the Value field, type the maximum value for a bad score.

      For example, if you want a score of 60% and below to be a bad score, type 60.

    4. Click OK.

  5. To adjust the threshold for a good score, do the following:

    1. Click Add.

      The Add New Configuration Parameter dialog box appears.

    2. In the Name field, type Compliance_Score_Min_Green.

    3. In the Value field, type the minimum value for a good score.

      For example, if you want a score of 80% and above to be a good score, type 80.

    4. Click OK.

  6. Click OK.

Back to top

Configure the PCI zone

Specifying the servers in the PCI zone enables AFA to specify the vulnerability of PCI applications in the PCI regulatory compliance report. Additionally, configuring these servers enables AppViz to tag which network objects intersect the PCI Zone and the applications that use these servers.

Note: This feature is only relevant when using AppViz.

AFA can only show the vulnerability of PCI applications in the PCI report when AppViz is integrated with a vulnerability scanner. When using AppViz without a vulnerability scanner, AppViz will still tag the network objects and applications that intersect the PCI zone with the PCI label.

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

  3. The Administration page appears, displaying the Options tab.

  4. Click the Compliance tab.

    The Compliance tab appears, displaying the Risk Profiles sub-tab.

  5. Click the Compliance Options sub-tab.

  6. In the Regulatory Compliance area, in the PCI zone field, type an IP address, range, or CIDR.

  7. To add another entry, click , and type the additional value in the field.

  8. To remove a field, click .

  9. In the Vulnerability level threshold field, select the threshold for acceptable vulnerability in the drop-down menu.

Applications with the selected vulnerability level (or lower) will be considered vulnerable in PCI reports. For example, selecting Medium will cause applications with medium or low security scores to be considered vulnerable.

Note: Specifying the vulnerability level threshold is only relevant when AppViz is integrated with a vulnerability scanner.

Back to top