it compliance management library - deployment guide

8/8/2019 IT Compliance Management Library - Deployment Guide

http://slidepdf.com/reader/full/it-compliance-management-library-deployment-guide 1/13

IT Compliance Management

Library Deployment Guide

Published: September 2010

For the latest information, please see

microsoft.com/technet/SolutionAccelerators



microsoft.com/solutionaccelerators

Copyright © 2010 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is

your responsibility. By using or providing feedback on this documentation, you agree to the license agreement

below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or

organization, then this documentation is licensed to you under the Creative Commons Attribution-

NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or

send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".

Your use of the documentation cannot be understood as substituting for customized service and information

that might be developed by Microsoft Corporation for a particular user based upon that user¶s particular

environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS

ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY

DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering

subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use

of this document does not give you any license to these patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change

without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-

mail addresses, logos, people, places and events depicted herein are fictitious.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective

owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to

the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,

without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You

also give to third parties, without charge, any patent rights needed for their products, technologies and

services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.

You will not give Feedback that is subject to a license that requires Microsoft to license its software or

documentation to third parties because we include your Feedback in them.

The IT Compliance Management Library (the ³software´) is intended to help organizations simplify and

automate IT compliance and risk management processes. The software is designed to facilitate compliance

activities conducted by your organization¶s IT professionals, auditors, accountants, attorneys and other

compliance professionals; it does not replace those professionals. The software ships with some control

activities and associated product setting values, but these control activities and settings do not verify or

guarantee fulfillment of your organization¶s compliance obligations. It is the responsibility of your organization

to determine the controls and settings to use, modify, add and remove based on guidance from your

organization¶s compliance professionals. Reports and any other information provided by or generated from the

software do not constitute auditing, accounting, legal or other professional advice. You must consult

compliance professionals to confirm compliance with specific governance, risk and compliance authority

documents.




ContentsUsing this Guide ....................................................................................... 1

Style Conventions ................................................................................ 1

Task 1: Configure System Center Service Manager ......................................... 2

Step 1.1: Verify the IT Compliance Management Library ManagementPack Prerequisites................................................................................ 2

Step 1.2: Import the IT Compliance Management Library ManagementPack .................................................................................................. 2

Task 2: Configure System Center Configuration Manager ................................. 3

Step 2.1: Verify the IT Compliance Management Library ConfigurationPack Prerequisites................................................................................ 3

Step 2.2: Import the IT Compliance Management Library ConfigurationPack .................................................................................................. 4

Step 2.3: Create Computer Collections .................................................... 5

Step 2.4: Assign the Compliance Baseline to a Computer Collection ............. 6

Step 2.5: Verify the Compliance Data Has Been Collected ........................... 7

Providing Feedback .............................................................................. 9 More Information ...................................................................................... 9

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C

Field C




Using this GuideThis guide describes how to install and configurean IT Compliance Management Libraryfor the IT GRC Process Management Pack for Microsoft®System Center ServiceManager 2010. Each IT Compliance Management Library is created for a unique product,

such as Windows® 7, Windows Server® 2008, or Windows Server 2008 R2. An IT Compliance Management Library can contain the following components:

y An IT Compliance Management Library Management Pack. This pack containsthe manual and automated control activities for a specific product that support controlobjectives in the IT GRC Process Management Pack. This Management Pack isimported into System Center Service Manager.

y An IT Compliance Management Library Configuration Pack. This pack containsthe configuration items for a specific product that correspond to the automatedcontrol activities in the IT Compliance Management Library Management Pack. ThisConfiguration Pack is imported into System Center Configuration Manager for use byDesired Configuration Management.

Note The specific filenames for the IT Compliance Management Library Management Pack andthe IT Compliance Management Library Configuration Pack are specified in the < product > IT

CML_ReleaseNotes.rtf file for this IT Compliance Management Library. Please consult the< product > IT CML_ReleaseNotes.rtf file for the specific filenames and further information about

this IT Compliance Management Library.

The IT Compliance Management Library is designed to work in conjunction with the IT GRC Process Management Pack for System Center Service Manage 2010 to helpautomate end-to-end compliance management. The IT Compliance Management LibraryConfiguration Packtakes advantage ofSystem Center Service Manager¶s integration withSystem Center Configuration Manager to help automate the monitoring, validating, andreportingofthe compliance state of specific products.

For more information about the IT GRC Process Management Pack for System Center Service Manage 2010, see the ³More Information´ section later in this guide.

S tyle ConventionsThis guidance uses the style conventions that are described in the following table.

Element Meaning

Bold font Signifies characters typed exactly as shown, including commands,switches, and file names. User interface elements also appear in bold.

Italic font Titles of books and other substantial publications appear in italic.

<Italic> Placeholders set in italic and angle brackets <Italic> representvariables.

Monospace

font

Defines code and script samples.

Note Alerts the reader to supplementary information.

Important Alerts the reader to essential supplementary information.



2 IT Compliance Management Library


Task 1: Configure System Center Service Manager Configure System Center Service Manager to perform IT GRC compliance managementusing the libraries in the IT Compliance Management Library Management Pack bycompleting the following steps:

1. Verify the IT Compliance Management Library Management Pack prerequisites aremet.

2. Import the IT Compliance Management Library Configuration Pack into SystemCenter Service Manager using the Service Manager Console.

Step 1.1: Verify the I T ComplianceManagement Libr ary Management P ackPrerequisitesPrior to importing anIT Compliance Management Library Management Pack, ensure thatSystem Center Service Manager 2010 and the IT GRC Process Management Pack aredeployed correctly as described in the following sections in the IT GRC ProcessManagement Pack Deployment Guide:

y ³Prepare the Prerequisite Infrastructure´

y ³Install the IT GRC Process Management Pack´

Also, ensure that a System Center Configuration Manager connector is created topopulate and synchronize the System Center Service Manager CMDB, and subsequentlythe IT GRC Process Management Pack, as described in ³Create a System Center Configuration Manager Connector to Populate and Synchronize the Service Manager CMDB´ in the IT GRC Process Management Pack Deployment Guide.

Note The Applicability Groups feature in the IT GRC Process Management Pack requires theoperating system version information for all configuration items in theSystem Center Service

Manager CMDB. The recommended method of populating this information is by using the SystemCenter Configuration Manager connector in System Center Service Manager.

S tep 1.2: Import the IT ComplianceManagement Library Management Pack

An IT Compliance Management Library Management Pack contains control activitytemplates that are intended to work with the control objective templates in the MicrosoftControl Pack, which you installed during the IT GRC Process Management Packinstallation process.

After you install the IT GRC Process Management Pack, you are ready to import IT Compliance Management Library Management Packs into System Center ServiceManager. You can import a Management Pack using the Import Management Pack taskin the Management Packs node in the Administration pane of the Service Manager console.

To import anIT Compliance Management Library Management Pack into SystemCenter Service Manager

1. Click Start, click All Programs, click Microsoft System Center , click ServiceManager 2010, and then click Service Manager Console.

The System Center Service Manager Console starts.

2. In the Service Manager Console, in the Navigation pane, click Administration.

3. In the Administration pane, click Management Packs.

4. In the Tasks pane, click Import Management Packs.



Deployment Guide 3


The Select Management Packs to Import dialog box displays.

5. In the Select Management Packs to Importdialog box, go to <target_folder >, click<management_pack_name>.mpb, and then click Open (where target_folder is thefolder where the IT Compliance Management Library Management Pack is extractedand management_pack_nameis the name of the management pack to be imported).

The Import Management Packs dialog box displays.

6. In the Import Management Packs dialog box, click Import.The progress bar for the import process displays. Allow some time for the importprocess to complete, and verify that the status message in the Management PackDetails text box indicates that the Management Pack imported successfully.

7. In the Import Management Packs dialog box, click OK.

The name of the imported IT Compliance Management Library Management Packdisplays in the list of Management Packs in the Results pane.

Task 2: Configure System Center Configur ation Manager

The IT Compliance Management Library Configuration Pack helps establish and managecompliance for specific products and technologies using the Desired ConfigurationManagement feature in System Center Configuration Manager. For more informationonthe DCM feature in System Center Configuration Manager, see the ³More Information´section later in this guide.

Note Not all IT Compliance Management Libraries have an IT Compliance Management LibraryConfiguration Pack. Please consult the < product > IT CML_ReleaseNotes.rtf file in this IT

Compliance Management Library to determine if there is a Configuration Pack. If there is noConfiguration Pack, you may skip Step 2.2 and all subordinate steps.

Configure System Center Configuration Manager to perform baseline compliance usingthe IT Compliance Management Library by completing the following steps:

1. Verify the IT Compliance Management Library Configuration Pack prerequisites aremet.

2. Import the IT Compliance Management Library Configuration Pack into SystemCenter Configuration Manager using the Configuration Manager Console.

3. If necessary, customize the IT Compliance Management Library Configuration Packusing the Configuration Manager Console.

4. Create computer collections for the IT GRC compliance programs you wish tomanage

5. Assign the baseline to a computer collection using the Configuration Manager Console.

6. Verify the appropriate IT GRCcompliance data has been collected by DCM clients.

S tep 2.1: Verify the IT Compliance

Management Library Configuration PackPrerequisitesPrior to importing an IT Compliance Management Library Configuration Pack, ensure thatthe following steps have been completed:

y The Desired Configuration Management (DCM) feature in System Center Configuration Manageris installed and configured correctly as described in DesiredConfiguration Management in Configuration Manager .





y System Center Service Manager and the IT GRC Process Management Pack aredeployed correctly as described in the following sections in the IT GRC ProcessManagement Pack Deployment Guide:

y ³Prepare the Prerequisite Infrastructure´

y ³Install the IT GRC Process Management Pack´

y A System Center Configuration Manager connector is created for compliance test

automation as described in ³Create a System Center Configuration Manager Connector for Compliance Test Automation´ section in the IT GRC ProcessManagement Pack Deployment Guide.

y The IT Compliance Management Library Management Pack is imported as describedin the Step 1.2: Import the IT Compliance Management Library Management Pack section in this guide.

S tep 2.2: Import the IT ComplianceManagement Library Configuration PackImport the IT Compliance Management LibraryConfiguration Pack in the ConfigurationItems node in the Configuration Manager Console using the Import Configuration DataWizard.

To import the IT Compliance Management Library Configuration Pack

1. Log on to the computer running System Center Configuration Manager with anaccount that has the following permissions:

y Member of the local Administrators group on the computer

y Administrator in System Center Configuration Manager

2. Click Start, click Programs, click Microsoft System Center , click ConfigurationManager 2007, and then click ConfigMgr Console.

3. In the navigation pane, go to System Center Configuration Manager | Site Database |Computer Management | Desired Configuration Management | ConfigurationBaselines.

4. In the actions pane, click Import Configuration Data.

The Import Configuration Data Wizard starts.

5. Complete the Import Configuration Data Wizard using the information in thefollowing table. Accept the default values that the wizard provides unless you need tootherwise specify them.

Table 2. Import Configuration Data Wizard Process

Wizard page name User action

Choose Files 1. Click Add.

The Open dialog box appears.

2. In the Open dialog box, go to the<configuration_pack_path>folder,click<configuration_pack_name>.cab, andthen click Open (where

configuration_pack_pathis the path to thefolder where the Configuration Pack islocated and configuration_pack_nameis thename of the Configuration Pack cab name).

The Microsoft Management Console ±Security Warning dialog box appears.

3. In the Microsoft Management Console ±Security Warning dialog box, click Run.

On the Choose Fileswizard page, the



Deployment Guide 5



configuration data appears in the list of baselines to import.

4. Click Next.

Summary 5. ClickNext.

Completing the ImportConfiguration Data Wizard

6. Click Close.

Note If you seean error message on the Confirmation page of the wizard, the baseline file iscorrupted and you must use another baseline Configuration Pack.

The new configuration items appear in the information pane of the Configuration Manager Console.

For more information about how to understand and resolve Desired ConfigurationManagement issues, see Troubleshooting Desired Configuration Management Issues.

S tep 2.3: Create Computer CollectionsComputer collections in System Center Configuration Manager provide a method of selecting the target computers that you want to assess. The IT CML Configuration Packsare designed to assess a specific technology. In order to use these configuration packs toevaluateIT GRC compliance,a separate collection must be created for each technology.

For example, if you are using the IT CML Configuration Packs for Windows® 7 andWindows Server® 2008, you would create one computer collection for all Windows® 7computers used in any of your IT GRC management programs and a second collectionfor all Windows Server® 2008 computers used in any of your IT GRC managementprograms.

Important Ensure that the membership of the computer collection you create for each

technology equals or exceeds the list ofall computers or business services that you specified inthe scopes for all the IT GRC management programs. In some instances the appropriate

computer collections will already exist in your System Center Configuration Managerenvironment. If the appropriate computer collections already exist, you may skip this task.

To create a computer collection in System Center Configuration Manager

1. ClickStart, click All Programs, click Microsoft System Center , click ConfigurationManager 2007, and then click ConfigMgr Console.

The Configuration Manager Console starts.

2. In the Configuration Manager Console, in the navigation pane, go to SiteDatabase | Computer Management | Collections.

3. In the actions pane, click New Collection.

The New Collection Wizard starts.

4. Complete the New CollectionWizard using the information in the following table andaccepting the default values unless otherwise specified.

Table 3.New Collection Wizard Process

Wizard page name User Action

General 1. In theName field, type <collection_name>, wherecollection_name is the name of the collection you wantto create.

Tip Usually this name refers to the operating system thatthe computers in the collection are running. In many

instances, this collection may already exist.





Wizard page name User Action

2. Click Next.

Membership Rules 3. Create a membership rule that specifies the computersthat you wish to include in the collection.

You can use the membership rule to select computers

based on criteria or based on complex SQL queries.For more information about creating membership rules,see the help topic "About Collection Membership" in theConfiguration Manager Documentation Library .

4. Click Schedule.

5. Complete the Custom Schedule dialog box to create aschedule for updating the collection membership, andthen click OK.

For more information about creating a custom schedulefor updating a collection, see the help topic "CustomSchedule Dialog Box" in the Configuration Manager Documentation Library .

6. Click Next.

Advertisements 7. Click Next.

Security 8. If necessary, modify the security for the collection.

For more information about customizing security for Configuration Manager 2007 objects, see the help topic"Properties ± Security Tab" in the ConfigurationManager Documentation Library .

9. Click Next.

Confirmation 10. Click Close.

Important Repeat this process for each computer collection that you need to create to assessthe IT GRC management programs in your organization.

S tep 2.4: Assign the Compliance Baseline to a Computer Collection

After creating or identifying the appropriate computer collections for the computers thatyou want to assess for compliance, you are ready to assign the configuration baselines tothe computer collections.

Important Do not proceed further if you have not created a new computer collection or

identified an existing computer collection for the computers and technology that you want toassess for compliance.

To assign the configuration baseline to a computer collection

1. Click Start, click All Programs, click Microsoft System Center , click ConfigurationManager 2007, and then click ConfigMgr Console.


2. In the Configuration Manager Console, in the navigation pane, go to Site Database| Computer Management | Desired Configuration Management | ConfigurationBaselines.

3. In the navigation pane, click <configuration_baseline>(whereconfiguration_baselineis the name of the configuration baseline that you want toassign to a computer collection).



Deployment Guide 7


The list of configuration items for the configuration baseline displays in theinformation pane of Configuration Manager.

4. In the actions pane, click Assign to a Collection.

The Assign Configuration Baseline Wizard starts.

5. Complete the Assign Configuration BaselineWizard using the information in thefollowing table and accepting the default values unless otherwise specified.

Table 4.Assign Configuration Baseline Wizard Process


Choose ConfigurationBaselines

1. Click Next.

Choose Collection 2. Click Browse.

The Browse Collection dialog box appears.

3. In the Browse Collection dialog box, click<com puter_collection>(wherecomputer_collection is the name of the computer collection that you created earlier in theprocess), and then click OK.

4. Click Next.

Set Schedule 5. Select the schedule that is appropriate for your organization.

6. Click Next.

Summary 7. Click Next.

Wizard Completed 8. Click Close.

Important Repeat this process for each computer collection that you want to assign to eachconfiguration baseline. At a minimum, assign each configuration baseline to at least onecomputer collection.

S tep 2.5: Verify the Compliance Data HasBeen CollectedBefore viewing the automated control activity results in System Center Service Manager,verify that the appropriate compliance data has been collected. After you assign aconfiguration baseline to a computer collection, the DCM client on each computer in thecollection automatically gathers the compliance information. Then the complianceinformation is stored in the System Center Configuration Manager database.

You can generate reports in System Center Configuration Manager that you can use tohelp ensure the appropriate data has been collected by the DCM clients. It is important toverify the appropriate compliance data has been collected in System Center Configuration Manager because it can help you validate the control activity results later inthe process.

To verify the compliance data has been collected

1. Click Start, click All Programs, click Microsoft System Center , click ConfigurationManager 2007, and then click ConfigMgr Console.


2. In the Configuration Manager Console, in the navigation pane, go to SiteDatabase | Computer Management | Reporting | Reports.

3. In the information pane, click the Category column.

This sorts the reports by name in the Category column.





4. In the information pane, click <com pliance_report >, where <compliance_report > isthe name of the report that you want to run.

Tip Scroll through the list of reports until you can view reports with the value Desired

Conf iguration Management ± Compliance in the Category column. These are thereports that are specific to DCM.

Some of the reports that can help you verify the compliance data include:

y

Compliance details for a configuration baseline.y Compliance details for a configuration baseline by configuration item.

y Compliance evaluation errors for a configuration baseline by configuration item.

5. In the actions pane, click Run.

The report displays. Review the information in the report you selected to verify that itincludes the appropriate computer collection data.

6. Close all open windows and dialog boxes.



Deployment Guide 9


Providing FeedbackPlease provide feedback by sending email to [email protected].

More Information

For more information about the IT Compliance Management Library, IT GRC ProcessManagement Pack, the IT Compliance Management Library Management Pack, the IT Compliance Management Library Configuration Pack, using the DCM feature, and theConfiguration Management Console in Configuration Manager, see the followingresources:

y < product > IT CML_Readme.rft file that accompanied this IT ComplianceManagement Library.

y IT GRC Process Management Pack Getting Started Guide, included with the IT GRCProcess Management Pack

y IT GRC Process Management Pack DeploymentGuide, included with the IT GRCProcess Management Pack

y IT GRC Process Management Pack Operations Guide, included with the IT GRCProcess Management Pack

y IT GRC Process Management Pack Developers Guide, included with the IT GRCProcess Management Pack

y IT Compliance Management forum

y Desired Configuration Management in Configuration Manager

y Microsoft Deployment: Preparing for Microsoft System Center Configuration Manager 2007

y System Center Configuration Manager 2007

y System Center Configuration Manager 2007 Administrators Companion: Chapter 9

y Security Risk Management Guide

y Understanding Collections on the Systems Management Server TechCenter

it compliance management library - deployment guide

Documents