Symantec Control Compliance Suite Getting Started...

Symantec™ ControlCompliance Suite GettingStarted Guide

Version: 11.0

Symantec™ Control Compliance Suite Getting StartedGuide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 11.0

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq."Rightsin Commercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Personal Information. You may configure the Licensed Software to collect personalinformation, including but not limited to, IP address, domain name, domain users, username, login passwords, security logs, server logs, which is stored on Your system only and

is not transmitted to Symantec. Please contact Your network administrator for furtherdetails.

Telemetry Option; Non-Personal Information. The Licensed Software contains a telemetryfeature which may collect non-personal information. Such non-personal information mayinclude, without limitation, machine configuration, SQL server details, license status, andsystem performance and will not be correlated with any personal information. Unless Youaffirmatively opt-out of this feature, telemetry will be automatically enabled to transmitsuch non-personal information to Symantec so we can better understand the usability andsupportability of the product.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Getting started withSymantec ControlCompliance Suite

This document includes the following topics:

■ What is CCS?

■ How do I achieve my objectives with CCS?

■ How do I collect asset data to achieve my objectives?

■ What are the components of CCS?

■ What are the minimum hardware and software requirements for installingthe CCS components?

■ How do I install CCS for the first time?

■ How do I upgrade to CCS 11.0?

■ What configurations are required for collecting data from my network?

■ How do I use CCS to manage the IT assets?

■ How do I use CCS for assessing technical controls?

■ How can I use CCS to plan for internal and external audits?

■ How can I use CCS to assess IT risk?

■ How can I use CCS to evaluate exposure to external threats, and assessprocedural and data controls?

■ How do I collect and monitor data in CCS?

■ Where can I find more information about CCS?

What is CCS?Symantec Control Compliance Suite (CCS) automates key IT risk and compliancemanagement tasks. CCS ensures the coverage of external mandates throughwritten policy creation, dissemination, acceptance logs, and exceptionmanagement. CCSdemonstrates compliance to both external regulatorymandatesand internal policies. CCS allows customers to link the written policy to specifictechnical and procedural standards. Customers can assess these policies using ahighly scalable agent-less or agent-based tool.

CCS scores assessment results against specified risk criteria. CCS supportsautomated assessment of the systemsecurity configuration, permissions, patches,and vulnerabilities. CCS also supports the assessment of procedural controls andentitlement review through a manual attestation process. CCS includes systemreporting capabilities.

CCS is an integrated solution comprising of different modules. You can use acombination of these modules to meet your objectives.

You can recover the CCS components in case of a failure.

This document provides disaster recovery and migration procedures for thefollowing scenarios.

See “How do I achieve my objectives with CCS?” on page 8.

How do I achieve my objectives with CCS?The following table lists the CCS features that you can use to achieve yourobjectives:

Getting started with Symantec Control Compliance SuiteWhat is CCS?

8

Table 1-1 How to achieve your business objective with CCS

How CCS helps achieve the objectiveBusiness objective toachieve

Policy Manager

■ CCS hosts more than 150 customizable sample policiesand templates.

■ The policies are mapped to technical and proceduralcontrols that let youmeasure a given a control and use theresults across multiple mandates.

■ You can also import your own data from the existing datacollection solution to use the CCS Policy Manager

Plan for internal andexternal audits

Standards Manager

■ CCS provides a capacity to assess the security complianceof the assets against a set of standards.

■ You can use pre-defined standards or can create customstandards to evaluate your assets.

■ You can also import your own data from the existing datacollection solution to use the CCS Policy Manager

Assess technical controls

External Data Integration

■ CCS provides a capability to integrate with external datasystems. CCS also supports Vulnerability Manager as apre-integrated external data systems.

■ You can use the Vulnerability Manager to prevent threatsto critical assets by quickly identifying vulnerabilities inyour most sensitive servers, Web-based applications,operating systems, and databases.

Evaluate exposure toexternal threats


■ CCS provides a capability to integrate with external datasystems. CCS also supports Response AssessmentModule(RAM) as a pre-integrated external data systems.

■ You can use RAM for procedural controls with its built-incontent and mandates.

Assess procedural controls


■ CCS provides a capability to integrate with external datasystems. CCS also supports Data Loss Prevention (DLP) asa pre-integrated external data systems.

■ You can use DLP to scans your network, endpoints, andservers to check the loss of sensitive data

Assess data controls

9Getting started with Symantec Control Compliance SuiteHow do I achieve my objectives with CCS?

Table 1-1 How to achieve your business objective with CCS (continued)

How CCS helps achieve the objectiveBusiness objective toachieve

Risk Manager

■ CCS enables you to Transform IT risk intobusiness-relevant riskmetrics that can be sharedwith keystakeholders todrive awareness, accountability, andaction.

■ You can visualize current risk exposure and analyzehistorical trends to illustrate how your IT risk andcompliance program systematically reduces risks to thebusiness over time.

■ You can prioritize remediation efforts based on businessrisk rather than technical severity.

■ You can work with key business stakeholders to makeconsistent plans for better security practices within theirbusiness and monitor progress against these plans on anongoing basis.

Assess IT risk

Reports and Dynamic dashboards

■ CCS supports various predefined reports and dynamicdashboards to present a snapshot of the complianceposture of your system.

Report on IT risk andcompliance posture

How do I collect asset data to achievemy objectives?Youmust collect asset data fromyour enterprise network in order to achieve yourobjectives using CCS. Following are the ways in which you can collect asset datafrom your enterprise network. You can decide the deployment model based onthe data collection solution that you choose to collect data for the assets.

The different solutions available for data collection are listed in the table below.

Table 1-2 Deployment model based on the data collection solution

DescriptionUse case

Raw-data based collection lets you collectasset data from your enterprise network.The collected data is then evaluated againsta standard in CCS. You can collect raw-datausing the agent-less method or theagent-based method.

Raw-data based

Getting started with Symantec Control Compliance SuiteHow do I collect asset data to achieve my objectives?

10

Table 1-2 Deployment model based on the data collection solution (continued)

DescriptionUse case

Message based collection lets you collect andinterpret asset data from your enterprisenetwork before sending the data to CCS. TheCCSAgent installed on each computer in theenterprise network performs the actual taskof data collection and interpretation. TheCCS Agent interprets the data against thestandards or policies and presents the datato CCS in the form of messages.

Message based

External data integration lets you seamlesslyimport data from an application that isexternal to CCS and represent the data inCCS as a data schema. The collected data isthen evaluated against a standard in CCS.

External data integration

Both agent-less and agent-basedmethods allow you to collect asset data from thefollowing platforms:

■ Windows

■ UNIX

■ Oracle

■ Microsoft SQL Server

In addition to this, you can deploy the RMS information server for collecting rawdata from the following platforms:

■ Exchange

■ VMware

Message based data collection allows you to collect data from the followingadditional platforms:

■ DB2

■ Sybase

■ VMware

11Getting started with Symantec Control Compliance SuiteHow do I collect asset data to achieve my objectives?

What are the components of CCS?CCS consists of a number of components that work together. The componentscollect, store, and analyze data from thenetwork, then transmit that data to clientsin a usable form. In some instances, a single computer can serve inmore than onerole. Other roles require a dedicated server.

See Figure 1-1 on page 12. illustrates how the CCS components work together.

Figure 1-1 CCS Infrastructure Architecture Diagram

The various components of CCS can be described as follows:

Getting started with Symantec Control Compliance SuiteWhat are the components of CCS?

12

Table 1-3 Components of CCS

DescriptionComponent

The CCS Application Server is the hub ofCCS. The Directory Service in the CCSApplication Server stores information aboutbusiness objects, preferences, and otherinformation. In addition, the DirectoryService hosts the certificate authority forthe CCS system, and issues and validatescertificates. Certificates are used to ensuresecure communications between the CCScomponents.

CCS jobs flow from the CCS Console to theApplication Server and then to one of theCCSManager Load Balancers.When reportsare complete, the Application Serverretrieves the report from the reportingdatabase and sends it to the console fordisplay to the user. In addition, theApplication Server manages data storageand manages the scheduled jobs andworkflow in the production database.

Application Server

CCS Manager performs up to five differentduties in CCS. Each of these duties is calleda role. A single instance of the CCSManagercan provide more than one rolesimultaneously.Normally, aCCSdeploymentincludesmany servers that eachhosts a CCSManager installation. When a deploymentcontainsmultipleCCSManager installations,each CCS Manager performs a single role.

CCS Manager

The CCS Agent resides on the computers inyour network. The CCS Agent collects dataabout the target computer and forwards thedata to theCCSManager. TheCCSAgent can:

■ Collect and interpret data about thesecurity of the computer. The resultingdata is forwarded to the CCS Manager .

■ Collect data about the security of thecomputer and forward the data to theCCS Manager.

CCS Agent

13Getting started with Symantec Control Compliance SuiteWhat are the components of CCS?

Table 1-3 Components of CCS (continued)

DescriptionComponent

CCS hosts the production and reportingdatabases.

Databases

CCS Console is a Windows application thatruns on a client computer. The consoleallows access to the full range of CCSactivities. Only users who have beenassigned to roles that allow them to work inthe console can perform activities in theconsole.

CCS Console

CCS Web Console lets users access a subsetof the CCS functionality using InternetExplorer 8.0.

Web Console

What are the minimum hardware and softwarerequirements for installing the CCS components?

The following table contains the minimum requirements for each component.

Table 1-4 CCS server requirements

Software requirementsRequired operating systemHardwarerequirements

Componentname

■ Microsoft visual C++ 2010redistributable framework.

■ Microsoft .NET 4.0 framework.

■ Microsoft .NET Framework 3.5SP1.

■ ADAM SP1 / ADLDS.

■ Microsoft Core XMLService(MSXML) 6.0.

■ Symantec LiveUpdate Client

■ Internet Information Services(IIS) 6.0, 7.0 or 7.5. Static Contentand Windows Authenticationrequired for IIS 7.0 and above.

■ Windows Server 2003 EnterpriseorStandard editionSP2x64,R2SP2x64

■ Windows Server 2008 Enterpriseor Standard editionSP2x64,R2x64

Note: You can perform a freshinstallation of the CCS ApplicationServer version 11.0 only on a computerrunning a 64 bit operating system.However, you can upgrade an existingCCS Application Server installed on acomputer running a 32 bit operatingsystem, to CCS Application Serverversion 11.0.

■ Minimummemory: 4 GB

■ Minimumprocessor: 2.8GHz

■ Minimum harddisk space: 20GB

ApplicationServer andWebConsole server

Getting started with Symantec Control Compliance SuiteWhat are the minimum hardware and software requirements for installing the CCS components?

14

Table 1-4 CCS server requirements (continued)


Componentname

■ Microsoft SQL Server 2005 SP2or later

■ Microsoft SQL Server 2008 SP1,SP2

■ Microsoft SQL Server 2008 R2

CCS supports 32 bit and 64 bitversions of the SQL Server.

■ Windows Server 2003 Enterpriseor Standard edition SP2, SP2 x64,R2 SP2, R2 SP2 x64

■ Windows Server 2008 Enterpriseor Standard edition SP1, SP1 x64,SP2, SP2 x64, R2 x64




Productiondatabase orReportingdatabase


■ Microsoft .NET 4.0 framework.

■ Crystal Reports 2010 for CCSManager in a reporting role.

■ SQL DMO 8.05.1054.

■ Oracle Instance Client 10.2.0.4for collecting data from Oracle.

■ Microsoft Access DatabaseEngine 2010.

■ Internet Information Services(IIS) 6.0, 7.0 or 7.5. Static Contentand Windows Authenticationrequired for IIS 7.0 and above.



Ensure that the computer onwhichyouinstall the CCS Manager has the latestWindows Service Pack along with thelatest updates.

Note: CCS 11.0 does not support CCSManager installation on the WindowsCore operating system.




CCS Manager

For information on supporteddatabases for agent-based datacollection, see the Symantec ControlCompliance Suite Planning andDeployment Guide.

For information on supported targetcomputers for agent-based datacollection, see the Symantec ControlCompliance Suite Planning andDeployment Guide.



■ Minimum harddisk space: 2 GB

■ Swap space: 1GB

CCS Agent

15Getting started with Symantec Control Compliance SuiteWhat are the minimum hardware and software requirements for installing the CCS components?

Table 1-4 CCS server requirements (continued)


Componentname


■ Microsoft .NET 4.0redistributable framework.

■ Windows XP Professional SP2 x64,SP3

■ Windows Vista Business orEnterprise SP1, SP1 x64, SP2, SP2x64

■ Windows 7, x64






Note: Thehardwarerequirementswoulddiffer if you areinstalling andlaunching the CCSConsole as astand-alonecomponent on aseparate computer.

CCS Console

CCSSetup installs someprerequisite softwarewhile installing theCCScomponents.For detailed information about the software requirements, network portsrequirements and the user privileges required for installing the components anddatabases, see the Symantec Control Compliance Suite Planning and DeploymentGuide.

How do I install CCS for the first time?The CCS setup consists of separate installers for installing the following CCScomponents:

■ CCS Suite:The CCS Suite consists of the CCS Application Server and the CCS Manager.CCS Application Server is the core component of CCS. Installing the CCSApplication Server also installs the CCS Console, the CCS Web Console andthe Certificate Management Console on the same computer.

■ CCS Manager:The CCS Manager setup is used to install a stand-alone CCS Manager for ascale-out deployment. The CCS Manager also installs the CCS Agent on the

Getting started with Symantec Control Compliance SuiteHow do I install CCS for the first time?

16

same computer. Youmust create certificates using theCertificateManagementConsole, for installing stand-alone CCS Managers.

■ CCS Agent:The CCS Agent setup is used to install the CCS agents on target computers,for agent-based data collection. You can install CCS Agents on Windows orUNIX computers.

In addition, the CCS setup also contains installer for installing the CCS Contentfor evaluating asset datawith the standards. Youmust install the CCSSuite beforeinstalling the CCS content.

For message based data collection, you require to install and configure theapplication modules on CCS Agents. The CCS setup contains the applicationmodules and related documentation.

Let us assume that you want to deploy CCS and collect data from two sites asdisplayed in the following diagram:

Figure 1-2 Example of CCS deployment

Site A has the CCS core components: CCS Application Server, CCS Consoles andthe databases. Site A also has a CCS Manager with the roles of Load Balancer andData Collector, collecting data from Windows targets and SQL targets.

17Getting started with Symantec Control Compliance SuiteHow do I install CCS for the first time?

Similarly, Site B has a CCSManager with the role of Data Collector collecting datafromWindows targets in twodomainsABC.comandPQR.com, and collecting datafrom UNIX targets using the CCS agents, and also collecting data from Oracletargets.

For detailed information and procedures for installing the CCS components, seethe Symantec Control Compliance Suite Planning and Deployment Guide.

How do I upgrade to CCS 11.0?The upgrade to the latest release version of the Control Compliance Suite (CCS)lets you access the new and updated features and functionality of the product. Ifyou are using RMS or ESM to collect asset data, you can upgrade to CCS to benefitfrom new and improved data collection features offered by CCS 11.0. CCS 11.0introduces the CCS Manager and CCS Agents for data collection. This not onlyreduces the number of components previously required for performing datacollection, but also deploy a system that is more cohesive and tightly integratedthan have separate set of products performing the data collection and evaluatingthe data.

CCS 11.0 supports direct upgrade from CCS 10.0 and CCS 10.5.1.

For upgrading ESM deployments, CCS 11.0 supports direct upgrade from ESM6.5.3 Service Pack 2, ESM 9.0, ESM 9.0.1 and ESM 10.0. Upgrade the ESM Consoleto ESM Console 11.0. ESM console is required to initiate policy runs for messagebased data collection.

While upgrading from a version earlier than CCS 10.5.1, before you begin withtheupgradeprocess, verify that the datamigration of the previousCCS installationis complete. Symantec recommends that you complete the data migration of theprevious CCS installation and then begin with the upgrade process followed bydata migration again.

After you upgrade the CCS components, you must migrate the databases to thelatest database schema.

The following table gives the various upgrade paths that are supported.

Getting started with Symantec Control Compliance SuiteHow do I upgrade to CCS 11.0?

18

Table 1-5 Supported upgrade paths

DescriptionSupported upgrade path

Use the following sequence to upgrade:

1 Upgrade CCS 9.0.1 to CCS 10.0.

OR

CCS 9.0.1 to CCS 10.5. Then CCS 10.5 toCCS 10.5.1.

2 Upgrade CCS 10.0 / CCS 10.5.1 to CCS11.0.

If you are upgrading from CCS 10.0 to 11.0,ensure that datamigration till 10.0 is alreadycomplete before you upgrade 10.0 to 11.0.Youmustperformdatamigrationagain afterupgrading to 11.0.

Data migration is not required if you areupgrading from CCS 10.5.1 to CCS 11.0.

CCS 9.0.1 to CCS 11.0

Upgrade CCS 10.0 to CCS 11.0.

Ensure that datamigration till 10.0 is alreadycomplete before you upgrade 10.0 to 11.0.Youmustperformdatamigrationagain afterupgrading to 11.0.

CCS 10.0 to CCS 11.0

Use the following sequence to upgrade:

1 Upgrade CCS 10.5 to CCS 10.5.1.

2 Upgrade CCS 10.5.1 to CCS 11.0.

Data migration is not required if youare upgrading from CCS 10.5.1 to CCS11.0.

CCS 10.5 to CCS 11.0

Upgrade CCS 10.5.1 to CCS 11.0.

Data migration is not required if you areupgrading from CCS 10.5.1 to CCS 11.0.

CCS 10.5.1 to CCS 11.0

Upgrade ESM 6.5.3 to CCS 11.0.

Note: CCS 11.0 supports upgrading ESMAgent 6.5.3 SP2 or later to CCS Agent andESM Manager 9.0 or later to CCS Manager.

ESM 6.5.3 to CCS 11.0

Upgrade ESM 9.0 to CCS 11.0.ESM 9.0 to CCS 11.0

19Getting started with Symantec Control Compliance SuiteHow do I upgrade to CCS 11.0?

Table 1-5 Supported upgrade paths (continued)

DescriptionSupported upgrade path

Upgrade ESM 9.0.1 to CCS 11.0.ESM 9.0.1 to CCS 11.0

Upgrade ESM 10.0 to CCS 11.0.ESM 10.0 to CCS 11.0

Upgrading an RMS deployment

If you areusingRMS to collect asset data you canmoveyourRMS-only deploymentto CCS 11.0. In which case you will have to install CCS Suite and then upgrade theBV-Control for UNIX agents to CCS Agents.

If your existing deployment contains a CCS installation, you can upgrade thefollowing CCS components:

■ Upgrade CCS Application Server and CCS Directory Server.

■ Upgrade Data Processing Service to CCS Manager.

You can replace the following RMS components in your deployment:

■ Replace the BV-Control for UNIX Agents with the CCS Agents:In your existing deployment, if you are collecting data from UNIX computersusing the BV-Control for UNIX Agents, you can replace those agents with theCCS Agents. It is recommended that until you complete the upgrade andperformdata collection from thenewdeployment for the first time, you shouldmaintain a co-existence of theBV-Control forUNIXAgents and theCCSAgents.Later, once you are sure that you are able to collect data from the new CCSAgents, you can remove the BV-Control for UNIX Agents from the targetcomputers, and perform a remote upgrade of the remaining BV-Control forUNIX Agents through the CCS Console.

■ Replace the RMS Information Server with the CCS Manager:You can replace the RMS Information Server with the CCS Manager forperforming data collection. The new CCS Manager has built in capabilities forperforming both agent-less and agent-based data collection. As such the CCSManager also supports message based data collection.

■ Replace the Windows Query Engines with CCS Manager.In your existing deployment, if you are collecting data from Windowscomputers, you may have Query Engines performing data collection. You canreplace 4 such Query Engines with 1 CCS Manager. If your existing domainscontain less number ofQueryEngines, andyou require to place aCCSManagerfor query engines from multiple domains, then ensure that there is a domaintrust relationship between the domains that host the CCS Manager and theQuery Engines.


20

It is recommended that until you complete theupgrade andperformdata collectionfrom the new deployment for the first time, you should maintain a co-existenceof the existing componentswith the new components of CCS 11.0. Later, once youare sure that you are able to collect data from thenewcomponents, you can removethe existing components.

Let us assume that your existing deployment is as displayed in the followingdiagram:

Figure 1-3 Example of existing CCS + RMS deployment

Site A has the CCS Reporting and Analytics components: CCS Application Server,CCS Directory Server, CCS Consoles and the databases. Site A also has a DataProcessing Service (DPS) with the roles of Load Balancer and Data Collector, withan RMS information server collecting data from Windows targets using QueryEngines, and also collecting data from SQL targets.

Similarly, Site Bhas aDPSwith the role ofDataCollector and anRMS informationserver collecting data from Windows targets in two domains ABC.com andPQR.com, and collecting data from UNIX targets using the BV-Control for UNIXagents, and also collecting data from Oracle targets.

Refer to the following diagram to upgrade the existing deployment to CCS 11.0:


Figure 1-4 Example of upgraded deployment to CCS 11.0

In Site A, you can upgrade the CCS Reporting and Analytics components: CCSApplication Server and CCS Directory Server to CCS 11.0. Upgrading the corecomponents also upgrades the CCS Consoles. You can upgrade the DPS to CCSManager with the roles of Load Balance and Data Collector. As the CCS Managerperforms all the roles of the Data Processing Service and also provides built-insupport to collect data directly fromagent-less and agent-based target computers,the RMS Information Server, Enterprise Configuration Service (ECS) and theMasterQueryEngine (MQE) components areno longer required. You can configurethe CCS Manager to collect data directly from the Windows and SQL targets.

In Site B, you can upgrade theDPS to CCSManagerwith the role of Data Collector.TheCCSManager can collect data directly from the target computer. As displayedin the diagram if the CCS Manager is in the domain ABC.com, ensure that thereis a domain trust relationship between domains ABC.com and PQR.com, for theCCS Manager to collect data from targets in the domain PQR.com. Upgrade theBV-Control for UNIX agents to CCS Agents and configure the CCS Manager tocollect data directly from the Windows, UNIX and Oracle targets.

Upgrading an ESM deployment

If you are usingESMto collect asset data you canmove yourESM-only deploymentto CCS 11.0. In which case you will have to install CCS Suite and then upgrade theESM components.


22

You can upgrade the following ESM components whilemoving from an ESM onlydeployment to CCS 11.0:

■ Upgrade ESM Managers to CCS ManagersUpgrade the ESM utilities installed on the ESM Managers after upgrading theESM Managers to CCS Managers.

■ Upgrade ESM Agents to CCS Agents

■ Upgrade ESM Console to ESM Console 11.0

■ If you are using ESM Manager for UNIX, upgrade to ESM Manager 11.0 forUNIX.

If your existing deployment contains a CCS installation, you can upgrade thefollowing CCS components:

■ Upgrade CCS Application Server and CCS Directory Server.

■ Upgrade Data Processing Service to CCS Manager.

Let us assume that your existing deployment is as displayed in the followingdiagram:


Figure 1-5 Example of existing CCS + ESM deployment

Site A has the CCS Reporting and Analytics components: CCS Application Server,CCS Directory Server, CCS Consoles and the databases. Site A also has a DataProcessing Service (DPS) with the roles of Load Balance and Data Collector, andan ESM Manager with ESM Console, RDMS and ESM Agents collecting data ontarget computers.

Similarly, Site B has a DPS with the role of Data Collector and an ESM Manageron UNIX with ESM Console and ESM Agents collecting data on target computers.

Refer to the following diagram to upgrade the existing deployment to CCS 11.0:


24

Figure 1-6 Example of upgraded deployment to CCS 11.0

In Site A, you can upgrade the CCS Reporting and Analytics components: CCSApplication Server and CCS Directory Server to CCS 11.0. Upgrading the corecomponents also upgrades the CCS Consoles. You can upgrade the DPS to CCSManager with the roles of Load Balance and Data Collector. You can upgrade theESMManager toCCSManager, ESMConsole toESMConsole 11.0 andESMAgentsto CCS Agents.

In Site B, you can upgrade theDPS to CCSManagerwith the role of Data Collector.The ESM Manager for UNIX to ESM Manager 11.0 for UNIX, ESM Console to ESMConsole 11.0 and ESM Agents to CCS Agents.

For reporting purposes, if you are using a RDBMS, and RDLs to connect to thisdatabase fromESMManagers, you can continue to use theRDBMSandRDLs afteryou upgrade to CCS Managers. You can also use the reporting and dashboardcapabilities of CCS 11.0.


For detailed information and procedures for upgrading the CCS components, seethe Symantec Control Compliance Suite Planning and Deployment Guide.

What configurations are required for collecting datafrom my network?

In Control Compliance Suite 11.0 , you can perform raw data based and messagebased data collection on various platforms using CCS Manager. Before actuallyperforming the data collection you must configure the CCS Managers and CCSAgents to collect data.

The following tables lists the supported platforms for raw-data andmessage baseddata.

Table 1-6 Supported platforms for raw-data and message based data.

Message based data collectionRaw data collectionPlatform

YesYesWindows

YesYesUNIX

YesYesSQL

YesYesOracle

NoYesExchange

YesYesVMware

Upgrade onlyUpgrade onlyNDS

Upgrade onlyUpgrade onlyNetWare

YesNoSybase

YesNoDB2

Note: CCS 11.0 supports NDS and NetWare data collectors only in case you areupgrading fromaprevious release of CCS and the CCSdeploymentwas configuredto collect data from NDS or NetWare platforms.

You must perform the following configurations before you can actually assetcollect data from your network.

■ Configure CCS Manager and CCS Agents for data collection:

Getting started with Symantec Control Compliance SuiteWhat configurations are required for collecting data from my network?

26

The CCS Manager contains data collectors for collecting data from the abovementioned platforms. You require to configure each of the required datacollectors to perform data collection on the desired platforms.For agent-less data collection configure the CCSManager to collect data usingCSV files, ODBC-compliant database, orDirectory Server. ACSVdata collectoris configured to collect data from the CSV files. An ODBC data collector isdefined and configured to collect data from the ODBC-compliant databases. ADirectory Server is defined and configured for data collection.For agent-based data collection enable theCCSManager for collectingmessagebased data and then install and configure the applicationmodules and securitycontent on CCS Agents. You must then import the security content from theCCS Agents to the CCS Manager. For information on the supported databasesfor agent-baseddata collectionandon installingandconfiguring theapplicationmodules refer to the respective platform specific application moduledocumentation or the see the Symantec Control Compliance Suite Planningand Deployment Guide.For raw data collection on VMware or Exchange platforms, you require toinstall the RMS Information Server and then configure the CCSManager withthe information server connection details. For information on installing andconfiguring RMS Information Server, see the Symantec Control ComplianceSuite Installation Guide version 10.5.1.Formessage based data collection onDB2, Sybase orVMware platforms, installthe ESM Console to create policies on the such platforms. You must then mapthe ESM policies to CCS standards using the ESM Policy to CCS StandardMigration Utility. For information on installing the ESM Console, see theSymantec Enterprise Security Manager Installation Guide.

■ Configure credentials:Control compliance Suite lets you manage credentials for agent-less andagent-based targets at a central location. The credentials can be used eitherfor assets or to centrally store user name and password forWINDOWS, UNIX,SQL, Oracle users and use them in platform configuration.For agent-less data collection, configure common platform and foldercredentials.For agent-based data collection, add common platform and folder credentials,and set the appropriate agent configuration parameters in the agent.conf file.

■ Configure routing rules:Routing rules let you define a particular site or a CCS manager to perform thetasks that are related to your assets or your agents.A few asset-based tasks that you canmanagewith routing rules are as follows:

■ Data collection

27Getting started with Symantec Control Compliance SuiteWhat configurations are required for collecting data from my network?

■ Queries

■ SCAP

A fewagent-based tasks that you canmanagewith routing rules are as follows:

■ Agent content update

■ Agent settings

■ Agent ping

You can use routing rules to route CCS jobs based on your network environmentor for achieving better load balancing.

You can configure routing rules for assets based on IP range, Subnet, Expressionsor Asset groups.

For detailed information on configuringCCSManager data collectors, credentialsand routing rules, see the Symantec Control Compliance Suite 11.0 User Guide.

How do I use CCS to manage the IT assets?You can use the Asset Management module of CCS for managing your IT assets.In Control Compliance Suite, an asset is defined as amanaged object in the systemthat has value, has an owner, has controlled access, and can have authority. Todefine the known assets that need protection is the first step in the IT processgovernance. The primary goal of the asset management system is to present aconsolidated view of the assets that are present in the organization. The assetsystem lets you manage the assets in the organization. The system also lets youexchange the context-specific information about the assets so that you can lookat your organization from different perspectives. You can use the asset systemto manage and monitor the assets that are valuable to your organization.

Using Asset Management you can:

■ Import the primary assets for the first timewith the predefined reconciliationrules.

■ Create reconciliation rules for further asset imports.

■ Apply tags to the assets.

■ Create asset groups.

■ Import the secondary assets.

For information onmanaging the IT assets, see the Symantec Control ComplianceSuite 11.0 User Guide.

Getting started with Symantec Control Compliance SuiteHow do I use CCS to manage the IT assets?

28

How do I use CCS for assessing technical controls?Youcanuse theStandardsManagermodule ofCCS for accessing technical controls.TheStandardsmanagementmodule inCCSautomates the assessment of technicalcontrols and security standards and helps you to evaluate the security postureand compliance status of your enterprise network.

Using the Standards Manager you can:

■ Assess the security compliance of the assets against a set of standards.

■ Use pre-defined standards or create customstandards to evaluate your assets.

■ Import your owndata from the existing data collection solution to use the CCSStandards Manager.

Standards provide themeans for assessing the compliance of an asset. In ControlCompliance Suite, a standard is a hierarchical organizational structure of sectionsandchecks. Control ComplianceSuitemakes available a set of predefined standardsthat are installed along with the product. These standards are mostly derivedfrom some published guidelines by established organizations such as CIS or NSA.You can also create new standards that are based on your specific requirements.

For information onusing the StandardsManager for assessing technical controls,see the Symantec Control Compliance Suite 11.0 User Guide.

How can I use CCS to plan for internal and externalaudits?

You can use the Policy Manager module of CCS for planning for internal andexternal audits. The Policy management module of CCS simplifies the process ofcomplyingwithmultiplemandates to improve the security and compliancepostureof your environment. The module provides pre-shipped policy content mappedto technical and procedural controls. Policy updates are done on changes toregulations and frameworks.

Using the Policy Manager you can:

■ Manage, publish, and track your policies across the organization.

■ Manage andpublish policieswithmore than150 customizable sample policiesand templates.

■ Mappolicies to technical and procedural controls that let youmeasure a givena control and use the results across multiple mandates.

■ Collect evidence of due care of policy compliance.

29Getting started with Symantec Control Compliance SuiteHow do I use CCS for assessing technical controls?

■ Import your owndata from the existing data collection solution to use the CCSPolicy Manager.

Policies are mapped to the control statements that in turn are mapped toregulations and frameworks. Mapping helps you to see the existing gaps in thecurrent policies of your organization. These gaps can exist between your currentpolicies and the mandates with which your organization must comply. Mappingalso helps you to meet the requirements of the mandates with which theorganization must comply.

For information on using the Policy Manager to plan for internal and externalaudits, see the Symantec Control Compliance Suite 11.0 User Guide.

How can I use CCS to assess IT risk?You canuse theRiskManagermodule of CCS to assess IT risk of your organization.TheRiskmanagementmodule of CCS allows you to create a viewof IT risks relatedto key business processes, groups, or functions. The module lets you definebusiness related risk objectives, group together the associated assets, and reportyour performance against the risk thresholds. Business stakeholders can makeinformed decisions based on a business criticality instead of a technical severity.

Using the Risk Manager you can:

■ Transform IT risk into business-relevant risk metrics that can be shared withkey stakeholders to drive awareness, accountability, and action.

■ Visualize current risk exposure and analyze historical trends to illustrate howyour IT risk and compliance program systematically reduces risks to thebusiness over time.

■ Prioritize remediation efforts based on business risk rather than technicalseverity.

■ Work with key business stakeholders to make consistent plans for bettersecurity practices within their business and monitor progress against theseplans on an ongoing basis.

Risk management involves four major areas that are risk modeling, riskassessment, risk monitoring, and risk action.

For information on using the Risk Manager to assess IT risk, see the SymantecControl Compliance Suite 11.0 User Guide.

Getting started with Symantec Control Compliance SuiteHow can I use CCS to assess IT risk?

30

How can I use CCS to evaluate exposure to externalthreats, and assess procedural and data controls?

You can use the External Data Integration module of CCS to evaluate exposure toexternal threats, andassessprocedural anddata controls. External data integrationlets you seamlessly assimilate data from an external application to ControlCompliance Suite (CCS). The external data is represented as a data schema inCCS.

Using the External Data Integration you can:

■ Assess the Policy Compliance:Use the imported data to correlate with the CCS assets. You can then gaugethe compliance over the assets based on policies, mandates, and regulations.

■ Contribute to CCS Asset Risk Score:Use the imported data to contribute to the CCS asset risk score. A risk scoreis used to quantify the risk that is associatedwith an asset in your organization.

■ View Dynamic Dashboards and Reports:Import external data and view the data using CCS dashboards withoutcorrelating the external data to CCS assets.Import external data and view the data using CCS dashboards in correlationwith the CCS assets. By means of correlation, you basically establish anassociation between the imported data schema and the existing CCS assets.CCS provides you with the capability to define new schema, which you canmap to a CCS schema by matching attributes.

You can import external data by using any of the following preconfigured datasystems:

■ Symantec CCS Vulnerability Manager

■ Symantec Data Loss Prevention

■ Symantec Response Assessment Module

You can also integratewith any third-party application and use the following dataconnectors to import the required data:

■ ODBC data connectorThe ODBC connector lets you import data from an external system that storesdata in the databases that support ODBC drivers.

■ CSV data connectorThe CSV connector lets you import data from an external system that storesdata in .csv files.

■ Web Services connector

31Getting started with Symantec Control Compliance SuiteHow can I use CCS to evaluate exposure to external threats, and assess procedural and data controls?

TheWebServices connector lets you import data froman external system thatstores data .xml files and can export the data by using APIs.

For informationon importing external data andusing thedata to evaluate exposureto external threats, and assess procedural and data controls, see the SymantecControl Compliance Suite 11.0 User Guide.

How do I collect and monitor data in CCS?You can use the Jobs module in CCS to perform queries to collect data from yournetwork, and use various predefined reports and dynamic dashboards to presenta snapshot of the compliance posture of your system. Various components ofControl Compliance Suite (CCS) perform a set of operations sequentially. A job isa specified set of such operations. It is a query with a scope. For example, a querywith a scope in the form of assets in a particular domain is called a job. A job isuniquely defined.

There are two types of jobs in CCS:

■ System jobs:The jobs that CCS automatically creates. These jobs performcertain predefinedfunctions.

■ User-defined jobs:The jobs that users create.

Organizations collect vast amounts of information in the course of completingbusiness transactions. Management studies the data to make decisions. TheReporting feature gives you timely information that you need to make informeddecisions about the organization.

Control Compliance Suite (CCS) provides a rich set of presentation-level reports.A report lets you collect and present the data in a format that conforms to theorganizational needs. A report is a business document that contains a predefined,organized collection of data. A report can be viewed, printed, or analyzed. Youcan create and customize reports from the Reporting view. You can schedule thereport generation or dashboard update jobs from the Jobs view. You can schedulereports and dashboard jobs to run at a specified time. If the report supports thefeature, you can export a report in several formats. Dashboards that are createdin theWeb Console are real-time, visual representations of selected key elementsfor an organization. Dynamic dashboard is a business tool that displays keyperformance indicators (KPI), business trends, and other relevant information tomanagement and employees. The panels in a dashboard use 2D and 3D charts toprovide high level and relevant information at a glance.

CCS provides the following types of dashboards:

Getting started with Symantec Control Compliance SuiteHow do I collect and monitor data in CCS?

32

■ Tiered:A dashboard that is based on hierarchical dashboards with the sections andthe nodes that logically represent your organization in different ways.

■ Web-based:A dashboard that is based on selected key elements of an organization and canbe adapted for each viewer.

For information on collecting data using Jobs andmonitoring data through reportsand dashboards, see the Symantec Control Compliance Suite 11.0 User Guide.

Where can I find more information about CCS?CCS provides a rich set of documents that cover end to end deployment and usagescenarios.

For detailed information about all aspects of deploying and using CCS, refer tothe following documents:

■ CCS Planning and Deployment Guide:This document contains detailed information on how to plan and deploymentCCS in your environment. The document contains information about thehardware requirements, software requirements, performance and scalability,various data collection methods including data collection from assets locatedon the cloud, integrating CCS with other Symantec products, upgrading CCSfrom previous releases and moving to CCS from RMS-only or ESM-onlydeployments.

■ CCS User Guide:This document contains detailed information about the various features andmodules of CCS and how to use the modules to achieve your objectives. Thedocument contains information on how to configure CCS for data collection,manage CCSuser for role based access, import assets fromour network, collectdata using jobs, evaluate the data using standards and view evaluated datathrough reports and dashboards.

■ Release Notes:This document contains information about the new features introduced inCCS 11.0. The document contains information about any installation or otherissues that users should knowbefore they install the Control Compliance Suite.

33Getting started with Symantec Control Compliance SuiteWhere can I find more information about CCS?

Getting started with Symantec Control Compliance SuiteWhere can I find more information about CCS?

34

Date post:	07-Sep-2018
Category:	Documents
Upload:	dokhue
View:	237 times
Download:	1 times

Symantec Control Compliance Suite Getting Started...

Documents