Managing Governance, Risk Management, and Compliance (GRC) grows more complex with

each newly developed set of regulations or standards. SecurityCenter has the ability to monitor
configuration compliance with a variety of standards including HIPAA, NIST 800-53, PCI DSS,
and DoD Instructions 8500.2. This dashboard shows the security manager a summary of
compliance checks supported by SecurityCenter.
Performing a compliance audit scan is not the same as performing a vulnerability scan, although
there can be some overlap. A compliance audit determines if a system is configured in
accordance with an established policy. A vulnerability scan determines if the system is open to
known vulnerabilities. Organizations can deploy and customize audit files to meet their local
security policy. Once the audit file is customized, the file can be used with SecurityCenter to
manage and automate the configuration compliance process.
There are many different types of government and financial compliance requirements. While
these compliance requirements are good guidelines, they often include minimal baselines.
Security baselines are lowest acceptable setting. For example password length, many guidelines
suggest a minimum length of 8 characters. The 8 character length is based on a recommendation
in early 1990s, and with todays computing power, it takes less than 13 minutes to crack a 8character password with a 94 character base, while a 10 character password with 94 character
base could take up to 78 days. Organizations should exceed the minimum when possible. SANS
published a great worksheet showing the password calculation times.
The security and operations teams should review the standards. Together, the teams should
provide recommendations on hardening policies, which ideally would then be approved by
management. The compliance requirements should be mapped to business goals to ensure that
risks are appropriately identified and mitigated. For more information on developing this
process, please refer to the Tenable whitepaper Maximizing ROI on Vulnerability
Management.
This dashboard provides several components for each of the compliance standard auditable by
SecurityCenter using Nessus audit files. Audit files provide the results of an audit check as one
of three severity levels. The informational severity level is considered a pass. The pass is
achieved when the configuration setting matches the expected result of the audit check. The
match can be a defined value or a range of values. The Nessus Compliance Checks document,
available in the Tenable Support Portal, contains details on how to edit audit files.
When an audit check fails, the severity is set to high, indicating that the collected result and the
expected result do not match. A mismatch may not mean a failure. Each failure should be
reviewed and verified to ensure the expected result is correct. If the expected result is not correct,
then the audit file should be modified and the scan should be run again. An analyst should

evaluate medium severity level results. The analyst can determine whether the results are
accurate or not.
The elements in this report use audit files (released after 1 July 2013), which incorporate the
reference tag that maps many audit checks to a respective standard. In the case of this report, the
audit files must contain a string similar to '800-53|IA-5' on the reference line of the applicable
audit check.
For example 'reference: CCE|CCE-8912-8,800-53|IA-5,PCI|8.5.12,800-53|CM-6'