Qualys is also one of the few vendors in this evaluation that has a full-featured configuration compliance module that provides concrete mappings from a wide list of regulations to actual IT controls.
Forrester Wave: Vulnerability Management (Q2 2010), Forrester Research, Inc.
As a Web-based solution, QualysGuard enables us to perform security audits as often as necessary, spot vulnerabilities immediately as they are added to the QualysGuard database, and work proactively to remediate them. This helps us secure all of our network entry points, enforce ICI security policies and assists us in meeting federal requirements.
Director of Global Information Security, ICIRead Case Study Q&A Article
Compliance is a big fact of life. It affects organizations of all sizes, including commercial enterprises, government agencies, and public-sector entities. At the core, compliance mostly concerns obedience to laws and regulations, especially regarding use of information technology. IT policy compliance entails proving compliance to an independent auditor — especially for mandated security-related controls. These controls may be prescribed by industry regulations, standards, or government laws and regulations. Failure to comply can trigger penalties, embarrassing public disclosure of breaches, and other potential damages to an enterprise.
Meeting the Obligations of Compliance
Some industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS) or the NERC Critical Infrastructure Protection Reliability Standards provide explicit guidelines and granular controls. Industry standards such as the International Standards Organization's ISO/IEC 27002:2005 define best practices for helping organizations to preserve the confidentiality, integrity, and accessibility of information. Other laws and regulations such as the Gramm-Leach-Bliley Act, Sarbanes-Oxley, or the Health Insurance Portability and Accountability Act (HIPAA) are vague about controls. In cases like these, auditors rely on detailed frameworks such as COBIT — the IT governance and control framework called Control Objectives for Information and related Technology. Either way, an organization still must comply or suffer the penalties.
Fulfilling the many requirements of compliance is nearly impossible to do with manual systems. Automation of controls and controls monitoring can bring many benefits:
Monitor a larger range of transactions, controls, and systems than a person could ever assess using a manual process. Provide a level of consistency that eliminates the subjectivity of human review. Run metrics and reports that help you manage the quality of both your compliance program and operations overall.
How Qualys Helps You Fulfill IT Policy Compliance
Qualys' on demand solution called QualysGuard Policy Compliance provides a fully automated agent-less way to fulfill requirements of policy compliance. The solution identifies mis-configurations on business systems, tracks exceptions, and produces reports necessary to meet compliance requirements. Included in this solution is the collection of OS, Application, and Database configuration access controls from the information assets within the enterprise. Automated reporting leverages a comprehensive knowledgebase of technical controls mapped to prevalent security regulations, industry standards, and compliance frameworks. Auditors use this documentation to verify how an organization provides security and integrity, prove that policies have been effectively operationalized, and verify that the organization has discovered or addressed any policy compliance issues, either through direct mitigation or justification of risk acceptance.
QualysGuard Policy Compliance is delivered via software-as-as-service at a fraction of the cost associated with other traditional software solutions.