Skip Headers
Oracle® Enterprise Manager Configuration Change Console User's Guide
10g Version 10.2.0.5 for Windows or UNIX

Part Number E15313-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Policy Management

Policy Management relates to your Compliance Policy frameworks, policies, and controls. This is opposed to Operations Management as discussed in Chapter 5, "Operations Management" which relates to the configuration aspects of the Configuration Change Console that relate to your physical infrastructure and how it should be monitored.

Frameworks

The Framework screen displays policy frameworks available in the product. There are predefined frameworks that come with the product as templates and there are custom frameworks which are frameworks that you can create.

A Framework is simply a grouping used to contain policies. Frameworks are intended to mirror your compliance framework used in your organization. For instance, you may use the COBIT, COSO, or PCI framework. Each of these is an example of what a framework in this product would be.

Configuration Change Console comes with a set of predefined frameworks which can be used to create custom frameworks specific to your environment. Once a custom framework has been created, it will be displayed on the Framework screen. Only custom frameworks may be used for reporting purposes. In order to use a predefined framework, you first need to save the predefined framework as a custom framework and modify it as necessary.

A user can create as many frameworks as necessary if they follow more than one policy framework. For instance, a large company may use both SOX and PCI frameworks for different parts of their environment.

To access this screen, navigate to Policy --> Policy Management --> Frameworks.

The frameworks screen lists all predefined frameworks. You can choose the view drop down in the filter bar to see predefined frameworks instead. Predefined frameworks cannot be instantiated in your environment, but they can be copied to a new custom framework.

The fields shown on this screen are listed below:

The filter bar allows you to change the view for this screen. The following are the two views available.

Modifying or Creating New Frameworks

To access this screen, navigate to either Policy -> Policy Management-> Frameworks > Add Custom Framework or Policy -> Policy Management-> Frameworks > Framework name link.

The Add or Update Framework screen allows an administrator to create or update a framework. A Framework is simply a grouping used to hold policies. Frameworks should mirror your compliance framework used in your organization. For example, you may use the COBIT, COSO, or PCI framework.

Once you create a framework, you then create (or copy from predefined frameworks) policies that comprise the policy framework you are going to use.

The following fields are displayed:

  • Framework - Name for the framework.

  • Description - Brief note describing the function of the framework.

  • Framework Text - This can be a much more detailed description of the framework describing the use cases and purpose of the framework.

Note:

An asterisk next to a field indicates required input.

Copying a Framework

Use the following steps to copy an existing predefined or custom framework.

Click on the Save As button when viewing the Add or Update Framework screen for a custom or predefined framework.

Change the name and descriptive fields as necessary. Check the appropriate check boxes indicating what other objects you want to save when copying the framework. These check boxes are mutually inclusive, in other words, you cannot copy controls without also copying policies.

  • Policies - Will additionally make a copy of all policies and assign them to the new framework name

  • Controls - Will make a copy of all controls and assign them to each policy that is also copied.

    Selecting this option should be used with care. In normal situations, controls can be shared across policies. Checking this box will actually copy all of the controls rather than mapping already existing ones, so you will have a new version of the controls with the string copy of prepended to each control.

  • Components - Will also copy the components assigned to the controls if you check this check box.

Click Save to save the changes or Reset to reset the fields. You can click Cancel at any time to exit the screen without saving the copy.

Policies

To access this screen, navigate to Policy --> Policy Management --> Policies.

The Policies screen displays compliance policies available in the product for reporting. There are policies that are predefined that come with the product as templates and there are custom policies which are the ones that you can create.

A policy in the console maps directly to the compliance policies you use in your organization. For instance, there is a "Manage Installation" policy in the COBIT standard framework. This would be one policy configured on this screen.

Configuration Change Console comes with a set of predefined frameworks each with their own policies, which can be used to create custom policies specific to your environment. Once a custom policy has been created, it will be displayed on this Policies screen. Only custom policies may be used for reporting purposes. In order to use a predefined policy, you first must save the predefined policy as a custom policy and modify it as necessary.

A user can create as many policies as necessary to map to their internal compliance structure. The fields shown on this screen are displayed below:

Clicking on the count link will display the Controls listing screen which will be filtered by the selected framework and policy.

The filter bar has a field that allows you to change the view for this screen. The following are the three views available:

Modifying or Creating New Policies

To access this screen, navigate to either Policy -> Policy Management-> Policies > Add Custom Policy or Policy -> Policy Management-> Policies > Policy name link.

The Add or Update a Policy screen allows an administrator to create or update a policy. A policy in the console maps directly to the compliance policies you use in your organization. For instance, there is a "Manage Installation" policy in the COBIT standard framework. This would be one policy configured on this screen.

Once you create a policy, you then create (or copy from predefined policies) controls that will be assigned to components defined to mimic your organizations applications components.

The following fields are displayed:

  • Policy Name - Name for the policy

  • Framework - Drop-down list that allows you to select which framework to which this policy belongs. You cannot create a policy without at least one custom framework already existing

  • Description - Brief note describing the function of the policy

  • Policy Text - This can be a much more detailed description of the policy describing the use cases and purpose of the policy

  • Reference URL - A URL that will be used to link the user to a document or application that contains the policy details

  • Owner - An assigned owner of the policy selected from configured people in the Console product

Note:

An asterisk next to a field indicates required input.

Copying a Policy

Follow these steps to copy an existing predefined or custom framework:

  1. Click on the Save As button when viewing the Add or Update Policy screen for a custom or predefined policy.

  2. Change the name in the Save As Name field and descriptive fields as necessary

  3. Check the appropriate check boxes indicating what other objects you want to save when copying the policy. These check boxes are mutually inclusive. In other words, you cannot copy components without also copying controls.

    • Controls - Will make a copy of all controls and assign them to each policy that is also copied

      Selecting this option should be used with care. In normal situations, controls can be shared across policies. Checking this box will actually copy all of the controls rather than mapping already existing ones, so you will have a new version of the controls with the string copy of prepended to each control.

    • Components - Will copy the components assigned to the controls also if you check this check box.

  4. Click Save to save the changes or Reset to reset the fields. You can click Cancel at any time to exit the screen without saving the copy.

Controls

The Controls screen displays compliance policy controls available in the product for reporting. There are controls that come predefined with the product as templates and there are custom controls which you create manually or can be created by copying a predefined control.

A control in the console maps directly to the granular policy controls that you use in your organization. For instance, there is a "Testing Changes" control which is part of the Cobit "Manage Installation" policy in the COBIT standard framework. A control is the most granular element in the compliance mapping capability of the product. Controls are mapped to components so that events that happen to each component can be reported against those mapped controls. This mapping relationship is effectively what relates an event to a policy.

Configuration Change Console comes with a set of predefined controls, which can be used to create custom controls specific to your environment. Once a custom control has been created, it will be displayed on the Controls screen. Only custom controls may be used for reporting purposes and mapped to components. In order to use a predefined component, you first need to save the predefined component as a custom component and modify it as necessary.

A customer can create as many controls as necessary to map to their internal compliance structure. A single control can also be assigned to any number of policies. For instance, you may have two policies that both have the same Emergency Changes control.

The fields shown on this screen are displayed below:

Clicking on the count link will display the Assign Components to Control screen where the assignments can be modified.

The filter bar displays a field that allows you to change the view for this screen. The following are the options available:

Modifying or Creating New Controls

To access this screen, navigate to either Policy -> Policy Management-> Controls > Add Custom Control or to Policy -> Policy Management-> Controls > Control name link.

From the Add or Update Control screen, you can define a control that will later be associated with a component. Enter or select the following parameters:

  • Control Name - Original name for the control you are copying

  • Version - A user-defined version number for the control used to distinguish multiple iterations of the same control that may be in use at the same time in an organization

  • Description - Brief note describing the function of the control

  • Control Text - This can be a much more detailed description of the control describing the use cases and purpose of the control

  • Document URL - A URL that will be used to link the user to a document or application that contains the control details

  • Policies - Select the Framework/Policy combinations to which you want to assign this control. You can select more than one by holding down the Control (CTRL) key while you select

You can unselect all by clicking on the None line at the top without holding down the Control (CTRL) key.

Copying a Control

To access this screen, navigate to Policy -> Policy Management-> Controls > Control name link > Save As button.

The Copy a Control screen allows an administrator to copy an existing custom or predefined control. A control in the console maps directly to the granular policy controls that you use in your organization. For instance, there is a "Testing Changes" control which is part of the COBIT "Manage Installation" policy in the COBIT standard framework. A control is the most granular element in the compliance mapping capability of the product. Controls are mapped to components so that events that happen to each component can be reported against those mapped controls. This mapping relationship is effectively what relates an event to a policy.

When you view one existing custom or predefined control and click the Save As button to make a copy, the following fields are displayed. Filling out this form and clicking Save will create the copy.

The following fields are displayed:

  • Control Name - Original name for the control you are copying

  • Save As Name - The name you want to give to the new custom control this copy will be saved as

  • Version - A user-defined version number for the control used to distinguish multiple iterations of the same control that may be in use at the same time in an organization

  • Description - Brief note describing the function of the control

  • Control Text - A more detailed description of the control describing the use cases and purpose of the control

  • Document URL - A URL that will be used to link the user to a document or application that contains the control details

  • Policies - Select the Framework/Policy combinations to which you want to assign this control. You can select more than one by holding down the Control (CTRL) key while you select. You can unselect all by clicking on the None line at the top without holding down the Control (CTRL) key

  • Include - Choose whether you want to also copy the components that are assigned to the control

Assigning Components To a Control

To access this screen, navigate to Policy -> Policy Management-> Controls > Components count link.

This screen enables you to change the components that are assigned to this control. Control assignment is how component changes get reported up through the control/policy/framework reporting structure. For instance, to report changes on the top level dashboard, you must assign components to a control and likewise have that control assigned to a policy. Through the component screens, you can also assign controls to components in the other direction.

The subtitle of the screen provides a context for the control to which you will be assigning components. For example:

Control: Application Change

Click on + to expand the Component Types to view the list of components of each type. Already selected components will be both checked and listed in a bold font.

Select the components to assign to the control by using one of these methods:

  • Clicking the check box for the control

  • Clicking the Selection Helper link to select a group of templates based on pattern matching. Note that pattern matching is case sensitive