• Overview
• Vulnerability Management
• Policy Compliance
• PCI Compliance
• Web Application Scanning
• Malware Detection
• SECURE Seal

QualysGuard Trials

• IT Security & Compliance Suite
• Vulnerability Management
• Policy Compliance
• PCI Compliance
• Web Application Scanning
• Qualys SECURE Seal

Free Tools

• Malware Detection
• BrowserCheck
• BrowserCheck Business Edition
• FreeScan
• FreeMap
• SANS Top 20 Scan
• SSL Server Test

CONTACT US:
1 (800) 745 4355
Sales Inquiry Form >
Global contacts >

Download Book

Define, Audit, and Document IT Security Compliance

IT security, audit and compliance groups are under constant pressure to help the business comply with multiple regulations, and meet the demands of internal and external auditors. In addition, many regulations contain requirements pertaining specifically to the integrity and security of the IT environment.

Using QualysGuard® Policy Compliance (PC) an organization can reduce the risk of internal and external threats, while at the same time provide proof of compliance demanded by auditors across multiple compliance initiatives. QualysGuard PC provides an efficient and automated workflow that allows IT security and compliance professionals to:

• Define policies that describe how an organization will provide security and integrity.
• Provide proof that the policies have been operationalized.
• Give documented evidence that the organization has discovered and fixed any policy compliance lapses.

QualysGuard PC extends the global scanning capabilities of QualysGuard Vulnerability Management to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise, and maps this information to user-defined policies in order to accurately document compliance with security regulations and business mandates.

QualysGuard Policy Compliance Lifecycle

Features of QualysGuard Policy Compliance

Create Policies to Meet Multiple Regulatory or Corporate Initiatives

QualysGuard PC allows users to create user-defined policies using QualysGuard's comprehensive Policy and Controls Library. The library includes a large set of technologies and controls, as well as multiple well-known frameworks and regulations such as CobIT, SOX, HIPAA, Basel II, and more.

Customize and Assign Policies to Assets

QualysGuard's Policy Editor allows users to create and edit policies, and assign them to assets using a WYSIWYG user interface. A policy can be divided into sections and can include a cover page to document specific details about the usage and purpose of the policy within the organization. Customization options include:

• Technologies: Select the technologies to be tested. Technologies include operating systems (i.e. Windows 2003) and applications (i.e. Oracle 9i).
• Controls: Add or remove controls. Controls include a statement of how a technology should be implemented and consists of compliance checks performed by QualysGuard to validate the control.
• Assets: Assign asset groups designating the specific host to test.
• Organize Policy: Add a cover page. Edit section titles and numbers. Add, delete or move sections and controls.

Access Comprehensive Policy and Controls Library

QualysGuard maintains a "policy" and "controls" library. Both libraries are constantly updated, as new policies and rules are added and updated by QualysGuard. The Policy Library includes pre-defined, sample compliance policies. These policies are based on popular compliance frameworks, including CobIT, SOX, HIPAA and much more. The Controls Library is a centralized location with technical controls for measuring compliance against numerous frameworks and technologies (operating systems and applications). All controls are derived from the CIS benchmarks. Technical controls are the building blocks of each compliance policy. QualysGuard PC supports technical controls for the following:

• Technologies: AIX 5.x, HPUX 11.x, Linux Red Hat Enterprise 3, 4, & 5, Oracle 9i, 10g and 11g, Solaris 9.x, Windows 2003 Server and Windows XP desktop...
• Frameworks: CIS, CobIT 4.0, ISO 17799, NIST SP800-53...
• Compliance Regulations: SOX 404, GLBA, HIPAA, Basel II...

Identify Policy Violations

Determine compliance with your defined set of policies. QualysGuard's external and internal scanners safely and accurately measure compliance against the technical controls specified in your policies. Scans can be setup to run automatically, or on demand whenever new network devices are introduced or configurations are updated. Automated compliance scanning uses the same QualysGuard infrastructure used for vulnerability scanning.

Measure and Document Compliance with Detailed Reports

Intuitive and easy-to-read reports provide detailed technical analysis of compliance, executive-level summaries, and reports tailored for auditors. Customize your own reports, or use the following template based and interactive reports:

• Policy Report provides full compliance status with a specific policy.
• Authentication Report identifies pass/fail status for authentication.
• Individual Host Report identifies the compliance status for a specific host.
• Control Pass/Fail Report identifies pass/fail status for a specific control.

Create and Manage Exceptions

Users may request exceptions for some hosts/controls in a selected policy to support a business need. For example a compliance policy may have a control that states the service FTP is not allowed on a server, however there may be a business requirement to exempt one or more hosts from this particular control in the policy. Users can submit exceptions for one or more hosts/controls in a policy that failed compliance. When approved, compliance reports do not fail compliance for the hosts/controls in exception requests for a period of time defined in each request.

More Features >

Benefits of QualysGuard Policy Compliance

• A Trusted Third Party that yields reliable data. Because all host compliance data and policies are securely stored by QualysGuard and not subject to manipulation, auditors trust the integrity and accuracy of the information and resulting QualysGuard reports.
• Deployment and Scalability is extremely important when diverse compliance teams are scattered across the globe. SaaS is best suited to support geographically dispersed teams that may be responsible for compliance for the entire enterprise or only one small part. Scheduled compliance scans can be run against specific parts of the enterprise at specific times, allowing for continuous scanning for compliance issues. SaaS removes scalability as a total cost of ownership (TCO)
• Agent-less solutions speed deployment and cost less to manage over time. Remediating configuration compliance issues is not complicated by having to remediate problems with the software agents that collect compliance data. Hosts that have malfunctioning software agents cannot be considered in compliance reports.
• Subscription-based SaaS model allows the customer to control the compliance solution without the "sunk-costs" associated with purchasing, licensing and supporting software based products. The entire service is priced per host and there are no hidden costs. This is in stark contrast to solutions that comprise a management console, data collection agents, databases, add-on modules for compliance reporting and in some cases, a separate product that manages selective compliance policies. Simplified deployment, a reliable gold-standard of reporting, and overall lower TCO are primary benefits of the subscription-based SaaS approach.
• Role-based Access to data is critical to an organization made up of IT teams that all have some role to play in the compliance process. The roles played by all compliance teams—IT operations, security and vulnerability management, internal audit and policy management—need to be supported. Even an external audit firm could be granted a view of compliance reports to gauge compliance status over time and streamline the consulting engagement.
• Secure, with complete end-to-end data encryption.

Pricing and Subscription Options
QualysGuard PC is priced as a prepaid annual subscription based on the number of IPs scanned (External + Internal).	1 YEAR SUBSCRIPTION (EXTERNAL)	1 YEAR SUBSCRIPTION (INTERNAL)
Enterprise Edition
Maximum # of Users	N/A	Unlimited
Maximum # of IPs	N/A	Unlimited
Maximum # of Scanners	N/A	Unlimited
Maximum # of Scans	N/A	Unlimited
QualysGuard XML APIs	N/A	Add. Fee
Express Edition
Maximum # of Users Per Suite Account	N/A	6
Maximum # of IPs	N/A	3,072
Maximum # of Scanners	N/A	2
Maximum # of Scans	N/A	Unlimited
QualysGuard XML APIs	N/A	Add. Fee
Also Includes
24x7x365 Email/Telephone Customer & Technical Support	N/A
Web-based Training & Regional Certification Workshops	N/A
Attendance to All Qualys User Conferences & Seminars	N/A

QualysGuard Policy Compliance is also available as part of the QualysGuard Security & Compliance SaaS Suite.

Contact sales for an immediate price quote, or sign up for a 14 Day Trial.

   

Customers and Awards

Performing over 500 million IP audits per year, QualysGuard is the widest deployed security on demand solution in the world. Qualys is selected by thousands of large and small organizations around the world. See customer success stories >

QualysGuard is overwhelmingly recognized as the leader in its space. QualysGuard has won awards ranging from Best Vulnerability Management Solution, Best Security Product, Best Security Company, Best Network Protection Service and much more. See award details >