Method and apparatus for continuous compliance assessment
First Claim
1. A method for continuous compliance assessment comprising:
- receiving, by a compliance server, change data associated with a change to a target host rule detected by a collection policy that defines a scope of what change data is to be collected, and for which rules of the target host, the change data comprising;
(a) an identification of the target host,(b) an identification of the collection policy, and(c) element data for the change to the target host rule;
determining, by the compliance server, whether the change to the target host rule meets one or more of a plurality of compliance policies associated with the collection policy, the determining comprising;
matching the collection policy with the one or more of the plurality of compliance policies,evaluating whether the target host specified in the change data is associated with one or more waivers and thereby determining that the target host is not associated with the one or more waivers, andevaluating the element data against expressions of the matching one or more compliance policies, the expressions specifying requirements of the matching one or more compliance policies; and
generating, by the compliance server, one or more test results based at least on results of the determining, the one or more test results indicating whether the change to the target host rule is in compliance with the matching one or more compliance policies, andwhen the change is not in compliance with the matching one or more compliance policies, generating appropriate element data for the target host rule to place the target host rule into compliance with the matching one or more compliance policies.
6 Assignments
0 Petitions
Accused Products
Abstract
In various embodiments, a target host may provide a change data to a compliance server in response to detecting a change, and the change data may include one or more rules, settings, and/or parameters. Also, in various embodiments, the compliance server may determine whether the one or more rules, settings, and/or parameters meet one or more compliance policies and generate one or more test results based at least on the results of the determining. Further, in some embodiments, the target host may detect a change to a rule, setting, and/or parameter based on a collection policy defining what change data is to be collected by the target host and provide data associated with the rule, setting, and/or parameter as change data to the compliance server.
168 Citations
16 Claims
-
1. A method for continuous compliance assessment comprising:
-
receiving, by a compliance server, change data associated with a change to a target host rule detected by a collection policy that defines a scope of what change data is to be collected, and for which rules of the target host, the change data comprising; (a) an identification of the target host, (b) an identification of the collection policy, and (c) element data for the change to the target host rule; determining, by the compliance server, whether the change to the target host rule meets one or more of a plurality of compliance policies associated with the collection policy, the determining comprising; matching the collection policy with the one or more of the plurality of compliance policies, evaluating whether the target host specified in the change data is associated with one or more waivers and thereby determining that the target host is not associated with the one or more waivers, and evaluating the element data against expressions of the matching one or more compliance policies, the expressions specifying requirements of the matching one or more compliance policies; and generating, by the compliance server, one or more test results based at least on results of the determining, the one or more test results indicating whether the change to the target host rule is in compliance with the matching one or more compliance policies, and when the change is not in compliance with the matching one or more compliance policies, generating appropriate element data for the target host rule to place the target host rule into compliance with the matching one or more compliance policies.
-
-
2. The method of claim 1, further comprising storing, by the compliance server, the received change data in a change database.
-
3. The method of claim 1, further comprising:
-
in response to receiving the change data, generating, by the compliance server, an event; and performing the determining in response to the generated event.
-
-
4. The method of claim 1, further comprising filtering, by the compliance server, the received change data and conditionally performing the determining based on a result of the filtering.
-
5. The method of claim 1, wherein the generating the one or more test results comprises generating a report for at least one of the target host or an administrative user.
-
6. The method of claim 1, further comprising receiving or retrieving, by the compliance server, new or updated compliance policies.
-
7. The method of claim 1, further comprising repeating the receiving, determining, and generating in real time each time the target host captures an additional change to the target host rule.
-
8. The method of claim 1, wherein one or more standards are defined by standards organizations that define industry standards, the matching one or more compliance policies ensuring that the target host is in compliance with the one or more standards.
-
9. The method of claim 8, wherein the matching one or more compliance policies comprising matching at least two compliance policies, and wherein each of the at least two compliance policies is for a different standard.
-
10. The method of claim 1, further comprising performing remedial measures to place the target host in compliance with the matching one or more compliance policies based on the one or more test results.
-
11. A compliance server for continuous compliance assessment comprising:
-
a computer processor; a change database for storing change data associated with a change to a target host rule detected by a collection policy that defines a scope of what change data is to be collected, and for which rules of the target host, wherein the change data comprises; (a) an identification of the target host, (b) an identification of the collection policy, and (c) element data for the target host configuration parameter or setting, the element data specifying requirements of the target host rule; and logic communicatively coupled to the change database and operable by the computer processor to; receive the change data; store the change data in the change database; determine which one or more of a plurality of compliance policies match the collection policy; evaluate whether the change to the target host rule complies with the matching one or more compliance policies, the evaluating comprising; identifying whether the target host is associated with one or more waivers specified by the matching compliance policies; and when the target host is not exempt from the matching one or more compliance policies, evaluating the element data for compliance with the matching one or more compliance policies; generate one or more test results based at least on results of the determining and evaluating, the one or more test results indicating whether the change to the target host rule is in compliance with the matching one or more compliance policies; and when the change is not in compliance with the matching one or more compliance policies, generating appropriate element data for the target host rule to place the target host rule into compliance with the matching one or more compliance policies.
-
-
12. The compliance server of claim 11, wherein the logic is further operable by the processor to filter the received change data and conditionally perform the determining based on a result of the filtering.
-
13. The compliance server of claim 11, wherein the identifying whether the target host is associated with the one or more waivers specified by the matching compliance policies comprises determining whether the target host is listed in a waiver list element of the matching one or more compliance policies.
-
14. A non-transitory storage medium storing programming instructions configured to cause a target host to:
-
detect a change to a target host rule detected by a collection policy that defines a scope of what change data is to be collected, and for which rules of the target host; provide change data to a compliance server, the change data comprising; (a) an identification of the target host, (b) an identification of the collection policy, and (c) element data for the change to the target host rule; and receive a report from the compliance server including one or more test results, the one or more test results being based at least on results of; matching, by the compliance server, the collection policy with one or more of a plurality of compliance policies, evaluating whether the target host specified in the change data is associated with one or more waivers and thereby determining that the target host is not associated with the one or more waivers, and evaluating the element data against expressions specifying requirements of the matching one or more compliance policies, the one or more test results indicating whether the change to the target host rule is in compliance with the matching one or more compliance policies, and when the change is not in compliance with the matching one or more compliance policies, generating appropriate element data for the target host rule to place the target host rule into compliance with the matching one or more compliance policies.
-
-
15. The non-transitory storage medium of claim 14, wherein the programming instructions are further configured to cause the target host to repeat the detecting and providing each time a change to the target host rule occurs on the target host.
-
16. A non-transitory storage medium storing programming instructions configured to cause a compliance server to perform a method, the method comprising:
-
receiving change data associated with a change to a target host rule detected by a collection policy that defines a scope of what change data is to be collected and for which rules of the target host, the change data comprising; (a) an identification of the target host, (b) an identification of the collection policy, and (c) element data for the change to the target host rule; determining whether the change to the target host rule meets one or more of a plurality of compliance policies associated with the collection policy, the determining comprising; matching the collection policy with the one or more of the plurality of compliance policies, evaluating whether the target host specified in the change data is associated with one or more waivers and thereby determining that the target host is not associated with the one or more waivers, and evaluating the element data against expressions of the matching one or more compliance policies, the expressions specifying requirements of the matching one or more compliance policies; generating one or more test results based at least on results of the determining, the one or more test results indicating whether the change to the target host rule is in compliance with the matching one or more compliance policies; and when the change is not in compliance with the matching one or more compliance policies, generating appropriate element data for the target host rule to place the target host rule into compliance with the matching one or more compliance policies.
-
Specification