Configure Servers
19
To check for frequent policy file updates, you may choose to Check for policy file
updates during a specific time period (days, minutes, hours). If updates exist, they will
be downloaded for the SecurityExpressions Audit & Compliance Server to use.
Check Now updates the policy files immediately.
3. Click Update to store the policy file library configuration. The settings are stored but can
be modified.
About Policy Files
Security policies lay a solid foundation for the development and implementation of secure
practices within an organization. In SecurityExpressions, policy files contain the rules to which an
organization must adhere for their system security configuration. Compliance with policies
requires an understanding by staff of not only the individual policies but also of the
circumstances in which such compliance is expected in their daily activities. Policy files have a
.SIF extension.
A high-level security policy may outline specific requirements or rules that must be met, such as
the rules and regulations for appropriate use of the computing facilities. A technical standard or
configuration guideline is typically a collection of system-specific or procedural-specific
requirements that everyone must meet. For example, you might have a standard that describes
how to harden a Windows workstation for placement on an external network (DMZ).
Administrators must follow this standard exactly if they wish to install a Windows 2003
workstation on an external network segment.
The Security Policy File Library provides pre-defined and customizable system security policy files
and security guidelines from well-known sources, such as Microsoft, SANS, NSA, NIST, CIS, as
well as policy files including Microsoft Patches, user settings, and Solaris patch management. You
can select a policy file to use or modify for your audits.
How System Scores are Calculated
The score a system gets from an audit is calculated using the properties of rules checked against
the system during the audit. The properties used are:
Rule Result - Each rule returns a result of OK, Not OK, Error, or Info during an audit. Rules that
return Info or Error are not included in the calculation.
Weight Values - Each rule is assigned a weight value from one of the three rule keys, in this
order: Weight, Impact, or Priority. The Weight key is not a key that each rule automatically has;
it must be created by a user.
If a Weight key exists for a rule and has a value, it always becomes the rule's weight value. If
there is no Weight key, the rule gets its weight from the Impact key. If neither key has a value,
then the rule gets its weight from the Priority key. If none of these keys have a value, the rule
gets a weight value of 1.0.
You can customize the values of rules in one of two places:
1. In the SecurityExpressions server interface by editing the policy file and then uploading it
into a policy.
2. In the SecurityExpressions console application, if using it, by adjusting rule keys in the .SIF
file.
The following is the formula the software uses to calculate system scores: