COMPANY
ABOUT CFENGINE
WHAT IS CFENGINE?
PEOPLE
PARTNERS
USER REFERENCES
CONTACT US
HISTORY OF CFENGINE
ABHORING PATENTS
JOB OPPORTUNITIES
PRODUCTS
CFENGINE NOVA
ORION CLOUD PACK
DEMO VIDEOS
CFENGINE COMMUNITY
LICENSE OFFERS
LICENSE FOR CONSULTANTS
FAQ
SUPPORT
REGISTER A TICKET
SUPPORT SERVICES
TRAINING
CONSULTANCY
THE ENGINE ROOM
VISION
EXAMPLES
USE CASES
GREEN IT
>COMPLIANCE
SERVER LIFE-CYCLE
WHITE PAPERS
NEWSROOM
CFENGINE NEWS
CFENGINE IN THE MEDIA
PRESS RELEASES
CFTIMES
RSS FEEDS


Some Cfengine Users

CFENGINE NOVA AND ISO-27K

Need software to automate?

Cfengine can automate several of the controls suggested by the standard. Even though most of the work on your way to ISO-27001 certification involves human dependent processes and actions, much can be automated and verified using a software like Cfengine.

This page gives you some ideas on areas in which you can expect Cfengine to help automate your ISO-requirements.

The illustration below shows an outline of the standards and the main areas touched upon in the audit. The yellow and green boxes indicate areas where Cfengine can help you automate some or several of the technical controls and checkpoints as part of your ISO-certification.

Desired end-state applications, databases, computer-processes, Firewalls, DMZ, etc.

ISO27k implementers often suggest a baseline of technical security standards. Cfengine turns this idea on its head, and focuses on the desired-end state instead. A baseline only brings value to the moment it is implemented. As soon as unexpected changes occur, you are out of compliance. Cfengine ensures that the end-state of your system is always in compliance with your policies. ISO27K includes suggestions for baselines and standards laying out the minimum acceptable levels of security by defining configurations or parameters for various technical platforms.

Below is a list of items ISO27K suggest to include in the baselines, and that Cfengine can help you automate by ensuring a desired end-state (automation).

  • Application servers
  • Databases (e.g. Oracle, DB2, Sybase, Access ...)
  • DMZ (Internet-exposed systems and devices installed in the De-Militarized Zone)
  • Firewalls, routers, switches and other network devices (software)
  • Mainframes and minicomputers
  • Operating systems (e.g. Windows XP, Windows 2003, Windows CE, various UNIX, MVS etc.)
  • Third party systems used or installed on-site, and/or connected remotely via the networks

ISO 27002 contains a comprehensive set of 39 key control areas for information security, with a whole lot of "best practice" security controls including registers, policies, procedures and baselines (from IsecT Ltd). The tables below indicate areas where Cfengine can help you out.

ISMS Registers What Cfengine can do
Backup and Archive Register (details of tapes/disks, dates, types of backup, scope of backup - possibly automated) Cfengine can automate your backup procedures and combining the logs with Knowledge Map, you will have full access of every run and output
Information Asset Inventory/Register/Database As of Constellation, Cfengine comes with a fully-fledged CMDB, that keeps track of all your assets
Information Security Risk Register Have Cfengine manage all your security tests, and you will be able to access all the logs and outputs in the knowledge map
Privilege/Administrator Access and Authorization List (details and authorizations for privileged user IDs and access to various 'control bypass' functions) Using Cfengine's built-in ACLs (Windows, Linux, Solaris), you can easily get lists of all users and their privileges and access rights
Software License Register (supplier, type of license, license conditions/restrictions, owner/manager of vendor relationship) Use Knowledge Map to enter license- and any other meta information about your Software. Cfengine will automatically create lists of active applications and services running on all your machines
System Patch and Antivirus Status Register (likely to be largely automated) You can easily use Cfengine to deploy patches and updates throughout your organization

ISMS Information Security Policies What Cfengine can do
Access Control Policy Cfengine comes with build-in Access Control List features on Windows, Linux and Solaris. Apply your policies, and have Cfengine ensure they are always in compliance
Password Policy Cfengine can automate your organization's password policy, creating reports and ensuring password changes and strengths (server-side)
System/data Backup and Recovery Policy Automate the backup and recovery process using Cfengine. Cfengine can do conditional operations based on outputs from third party programs
System Usage Monitoring Policy Cfengine knowledge map comes with many out-of-the-box reports. Trend-reports and alarms can easily be created. Compliance-reports are only a few clicks away

Information Security-related Procedures and Guidelines What Cfengine can do
Security Incident Reporting Procedure Cfengine can create logs, alarms and reports in case of security breaches defined in the policies. However, Cfengine best-practice is to have Cfengine fix the incident automatically and not disturb the operators/sys.admins
Security Patching and Technical Vulnerability Management Procedure See Cfengine deployment capabilities above
System Hardening Procedures/System Security Testing Procedure Have Cfengine manage all your hardening scripts and execute and (if desired report) on the outputs

Want to learn more? Need advise? Click here.