Assuria Auditor measures, manages, and enforces security policies across a wide range of operating systems using a host-to-network view of critical systems and servers. Assuria Auditor's methodology simplifies the creation of system security baselines for users, groups, shares, services, and critical system files, and easily fits in with existing business processes.

Fully scalable for enterprise installations, Assuria Auditor manages large sensor populations and comes with a Web interface for distributed security management. Assuria Auditor issues reports designed for both technical and managerial audiences that identify areas of concern, the consequences of a security breach, and the remedy for each out-of-policy, mis-configuration, or vulnerability.

Enquire about this product

---

Assuria Auditor Reporting Compliance

Assuria Auditor measures and manages server security policies and configurations using a host-to-network view of critical systems and servers, assessing host security, detecting and reporting system security weaknesses, recommending corrections and alerting administrators to unauthorised changes to configurations and critical system and application components.

Organisations of all sizes and in both the public and private sector are increasingly required to be in compliance with a number of legislative and industry regulations and standards. Compliance with these regulations should be seen as part of the Information Security Management System (ISMS) or process.

The Payment card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI is intended to help organizations proactively protect customer credit card data.

Most organisations subject to such regulations use controls from standards such as ISO 270001 and guidelines to achieve compliance.

ISO 27001 is the formal standard against which organisations may seek independent certification of their Information Security Management Systems. AN ISMS is a frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organisations.

Local Authorities in the UK complying or in the process of complying to 27001 will be addressing a significant number of the Governement Connect CoCo controls. The CoCo and 27001 complement one another.

Assuria Auditor is a software tool that supports the controls within an ISMS. A key issue with compliance is planning and measuring acceptable levels of compliance.

With Assuria Auditor’s unique mapping of Checks to controls, control objectives and regulations it delivers a powerful tool to help achieve compliance to appropriate and applicable standards.

---

Assuria Auditor Key Features

Assuria Auditor now features regulatory and standards compliance reporting. The Assuria Auditor Console database has been updated to include, where appropriate, the mapping of each Assuria Auditor’s 2500 checks to a reference within the standard.

Currently available standards are ISO 27001, PCI, SOX and CVE and BID. ISO 17799 will be available soon. Further standards, such as FISMA and HIPPA are planned.

• Policy Compliance – Assuria Auditor can be tailored to your requirements, allowing you to adjust checks and policies to match the specific requirements of your security configuration policy, thus ensuring systems are compliant.
• Change Detection – Assuria Auditor allows you to create a systems baseline and monitor the system for any changes to that baseline.
• Distributed Management – Enables distributed operational access to the Assuria Auditor Console from anywhere on an enterprise network.
• Fully Scalable – Assuria Auditor gives you the option to manage large populations of agents from a single Assuria Auditor Console.
• Powerful, Flexible Reporting – Standard reports, designed for both technical and managerial audiences, identify areas of concern, the consequences of a security breach and the remedy for each out-of-policy mis-configuration or vulnerability.
• Comprehensive database - Assuria Auditor console database contain information of scans and vulnerabilities found, this information is available to a number of SIM products.
• Auto Update – Regular security content updates ensure that hosts are protected from even the most recent vulnerabilities and exploits.
• Customisable Checks – Although Assuria supplies a large number of vulnerability, mis-configuration and other conditions; additional custom checks can be easily added via the Tcl scripting language.
• Assuria Auditor VISTA the web browser option for users who require distributed operational management access to the Assuria Auditor Console(s).

---

Assuria Auditor CVSS reporting

Assuria Auditor includes CVSS reporting and score manipulation features to the Assuria Auditor Console.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment.

CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

---

Assuria Auditor and Log Manager Service

Assuria also offer an onsite Service which helps identify how companies may be falling short of various complaincy standards which is known as the IT Security Standard Compliance Assessment Service (ITSec CSS).

The ITSec CSS utilises the Auditor and Log Manager products and will provide the following deliverables:-

• A management summary report indicating the current level of compliance to the required standard of the target systems;
• A detailed report for each system showing each area of non-compliance, the implications of the non-compliance and a clear English language description of how to correct them;
• The report will also highlight general areas of poor security practice and known vulnerabilities discovered;
• A senior management presentation on the outcome of the service and suggested next steps.

Download Assuria Auditor Datasheet

Compliance Standards

Requirement 10 Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

GCSx No 4 Configuration 

GCSX No 5 Compliance Checking

GCSX No 13 Protective Monitoring 

GCSX No 14 Patch Management

 

A.10.10 Monitoring

Assuria Auditor PCI Reporting Screenshots

 

Guide to General Server Security

Supported Platforms

• Microsoft Windows 2000
• Microsoft Windows 2003 Server including SP1, SP2 and X64
• Microsoft Windows 2003 Server R2
• Microsoft Windows 2008 Server
• Microsoft Windows XP - Windows 2000 compatibility mode
• SUN Solaris 8,9, 10 (SPARC)
• SUN Solaris 10 on INTEL X86/X64 - BETA
• IBM AIX 5L 5.1, 5.2, 5.3
• HP HP-UX 11i V1, 11i Version 2 and Version 3 (PA-RISC)
• HP-UX 11i V2 and HP-UX 11i V3 on 64bit INTEL Itanium (IA64)
• Red Hat Enterprise Linux 3, 4 and 5 - 32 and 64 bit systems (X64)
• Red Hat Linux 7, 8, 9
• SuSE Enterprise LINUX 9, 10 on x86
• SuSE Enterprise LINUX 10 on IBM z System

Concerned about the Insider Threat?

Does your security infrastructure include an ‘early warning’ system that monitors mission critical business servers for suspicious or undesirable insider activity that could allow corporate or customer information to be compromised?

• Can you be sure that your corporate Information Security Policies and relevant external standards are being properly adhered to?
• Are the people running your core business systems properly implementing built-in security features and are they following industry accepted ‘good security practice’?
• Is there an effective ‘check and balance’ in place such that there is a clear separation of duties between those managing your IT infrastructure and those monitoring its health and integrity?
• Are you confident that all system activity that could have a bearing on your organisation’s Information Integrity is being logged and safely stored, in case of security incidents?

If you cannot realistically answer yes to these questions on basic security good practice, or you have concerns around the points made here, then your organisation could be at risk to the growing problem of Cybercrime in the 21st century.

The issues highlighted here can be quickly resolved with surprisingly little cost through use of Assuria’s industry leading information risk management solutions and services.