Configuration Compliance is a new application in the Kingston release and is part of ServiceNow's Enterprise Security Response suite.

Configuration Compliance protects you from security vulnerabilities

Configuration Compliance is a Secure Configuration Assessment (SCA) application that exposes configuration-related security vulnerabilities of highest impact to business operations, and streamlines the remediation process across frequently isolated information security, IT operations, and business process stakeholders. It helps your company stay in compliance with corporate policies. We think even Sheldon Cooper would approve!

The application gathers scan results from third-party SCA scanners, prioritizes configuration compliance issues, and meshes with the IT change management process for remediating non-compliant configurations. When something is non-compliant, it fails the compliance for company security or corporate policies.

Who uses Configuration Compliance?

Vulnerability managers and analysts within information security are the primary users for Configuration Compliance, since misconfigured software assets can cause exploitable security vulnerabilities, similar to traditional vulnerabilities caused by software defects.

However, unlike managing traditional software vulnerabilities, the secure configuration baselines monitored by Configuration Compliance are often driven by corporate and regulatory compliance. So, Governance, Risk Management and Compliance (GRC) professionals will often consume compliance data produced by Configuration Compliance.

How does Configuration Compliance work?

Configuration Compliance works with third-party Secure Configuration Assessment, (SCA) scanner applications and integrates with Governance, Risk, and Compliance (GRC) for ongoing review.

With Configuration Compliance and IT running on the same platform, security analysts and IT remediation teams can work together to resolve issues faster.

When you use SCAs, you are able to determine where your company has the most critical, high-impact, configuration-based security vulnerabilities. By compiling the scanning results from the integration with scanning apps, you are able to prioritize issues involving compliance with the Configuration Management Database (CMDB). Using the IT change management process, Configuration Compliance helps to resolve configurations that are non-compliant.

Features of Configuration Compliance:

• Third-party integration unites configuration assessment and remediation throughout all your IT assets, providing you with one centralized place for configuration management. It imports configuration scanning content from scanning applications, includes and standardizes custom configuration information across other sources specific to your environment.
• Asset-Centric Prioritizing and test result grouping help to resolve non-compliance issues. With potential for a high volume of findings, results are prioritized using business context for the affected IT assets. You can even create custom risk calculators based on your company's needs, using your unique IT asset information maintained in your CMDB.
• Remediation workflow orchestration puts content into a structured response engine. Findings can be grouped or directed based on skill set and responsibility, allowing for easy transition between groups.
• Advanced Reporting provides the creation of real-time dashboards, which are customizable and based on your unique IT assets and data. Areas of performance improvement can be focused on by using key indicators, time charts, and drill downs. The reporting function also allows you to share the security scorecards with peers, creating a shared responsibility model for information security.
  • Below is the Configuration Compliance homepage, which gives you an overview into policies, CIs, tests, and test results. This makes it easier for your staff to pinpoint areas of concern faster. This is customizable and additional charts may be added. Within each chart, to view general data specific to that part of the chart, all you have to do is point to any part of a chart, whether its bar, pie, data point, etc. Clicking on any part of a report, provides a list of more detailed info.

• Continuous monitoring for GRC risk assessment and policy compliance make sure your company's IT policy follows regulatory compliance obligations and enterprise risk management, without requiring significant overhead. If using Configuration Compliance with the SN GRC application suite, you can have greater visibility with less manual effort by letting the configuration tests roll up to the corresponding GRC controls. In turn, GRC control compliance can then be calculated automatically and constantly across all in-scope assets.

To set up Configuration Compliance, you must activate the Configuration Compliance [com.snc.vulc] plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription. See the product documentation for steps on activating Configuration Compliance.