Assessments

Compliance assessments are a way of grouping controls together so that device configurations can be tested in real time or an as-needed basis. These assessments can also be used for reporting.

Permission Requirements

A user will need to be a member of a user group with the following minimum permissions granted:

  • Administration: Assessments and Controls

  • Modules: Administration

  • Device Group: member of the device group that will be used to run the assessment against

Open the Assessments Page

To open the Assessments page, on the toolbar, click Compliance > Assessments.

Assessments List

The following table defines the values in the Assessments table. The order listed is ascending by Name, but can also be sorted by Description.

Assessments List
Value Description
Name The name of the assessment.
Description A description of the assessment.
Controls The number of controls using the assessment.
Devices The number of devices that are using the assessment.
Device Groups The number of device groups that are using the assessment.
Last Modified The timestamp for the last time the assessment was modified.
Action menu with options for tasks to complete at the assessment level.

 

Assessments

There are numerous assessments that are preconfigured. These assessments cannot be edited or deleted, but can be duplicated (with the exception of PCI assessments).

  • Best Practices—used to evaluate the firewall against best practices related to policy security issues, policy quality, and device configuration controls, including Layer 7 tuples and Device Zones for overly permissive access.
  • Best Practices (Deprecated)—used to evaluate the firewall against a set of best practices related to policy security issues, policy quality and device configuration controls.
  • CIS Check Point—Security Configuration Benchmark for Check Point firewall, provides prescriptive guidance for establishing a secure configuration posture for Check Point firewall versions R75.x – 80.x installed on GAIA platform. This assessment was tested against Check Point R80.10 installed on GAIA. [v1.1.0 - 06-29-2020]
  • CIS Cisco ASA—Security Configuration Benchmark for Cisco firewall devices, provides prescriptive guidance for establishing a secure configuration posture for Cisco firewall devices versions 9.8. This assessment was tested against Cisco ASA 9.8(4). [v1.0.0 - 04-30-2021]
  • CIS Fortinet FortiGate—Security Configuration Benchmark for Fortinet FortiGate devices. An assessment status is included for every recommendation. The assessment status indicates whether the given recommendation can be automated or requires manual steps to implement.
  • CIS Juniper—Security Configuration Benchmark for Juniper JUNOS devices, provides prescriptive guidance for establishing a secure configuration posture for Juniper Networks devices including a core set of recommendations for all current JUNOS platforms including ACX, EX, MX, PTX, QFX, SRX and T Series. [v2.1.0 - 11-23-2020]
  • DISA STIG Cisco ASA—Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) used specifically for Cisco ASA. [Version 1, Release 2 - 27 Apr 2022]
  • DISA STIG (Firewall Security)—Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) used to help decrease the vulnerability of Department of Defense (DoD) sensitive information. [Version 8, Release 16]
  • DISA STIG Palo Alto Networks— Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) used for Palo Alto Networks. The assessment was tested against Palo Alto Firewall v9.0 and 10.1.[2022]
  • GDPR 2016—General Data Protection Regulation (GDPR) 2016/679 is a regulation for data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
  • HIPPAA Security Rule—Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a risk analysis per CFR 164.308 (a)(1)(ii)(A) be conducted for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
  • HITRUST for Cisco—Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls.

  • ISO/ IEC27001-2013—International Organization Standard (ISO) and International Electrotechnical Commission (IEC) 27001:2013 information technology - security techniques - information security management systems - requirements.

  • NERC-CIP v6—North American Reliability Corporation (NERC) - Critical Infrastructure Protection (CIP) v6 Cyber Security Validation can be used to address the security of cyber assets that are critical to the operation of the North American electricity grid.
  • NIST (SP) 880-41—National Institute of Standards and Technology (NIST) Special Publication (SP) 800-41 Guidelines on Firewalls and Firewall Policy validation.
  • NIST (SP) 800-171—National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that outlines the required security standards and practices for non-federal organizations that handle controlled unclassified information (CUI} or provide security protection for such systems. [11-28-2017, SP 800-171 Rev. 1]
  • Palo Alto Firewall Security Configuration Benchmark—SANS security configuration benchmark for Palo Alto firewalls.
  • PCI-DSS v3.2.1—Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 validation.
  • PCI-DSS v3.2.1 Cisco ASA—Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 validation for Cisco devices.
  • PCI-DSS v4 Cisco ASA—Payment Card Industry Data Security Standard (PCI-DSS) v4 validation for Cisco devices.
  • PCI-DSS v4 Fortinet FortiGate—Payment Card Industry Data Security Standard (PCI-DSS) v4 validation for Fortinet FortiGate devices.
  • PCI-DSS v4 Palo Alto Panorama—Payment Card Industry Data Security Standard (PCI-DSS) v4 validation for Palo Alto Panorama devices.

The PCI-DSS v3.2.1 and v4 Assessments are copyrighted and cannot be duplicated, cloned, modified or adapted in any way, unlike the other assessments. For more information about PCI DSS requirements, testing procedures and guidance, refer to in the PCI Document Library at https://www.pcisecuritystandards.org.

  • Sarbanes-Oxley Act Section 404—Title IV of the Sarbanes-Oxley Act of 2002 (Enhanced Financial Disclosures) pertains to Management Assessment of Internal Controls, and can be used to assess the effectiveness of internal controls and procedures for financial reporting.

 

Assessment Components

Assessment Builder

  • Section—structured view of how the assessment should flow. Each section will begin with an executive summary and contain the SCI score.
  • Text— introduction purely informational, no controls attached to it - text section could be section 1, then insert a section
  • Subsection—additional detail -- regulatory items NIST with categories to describe what the section covers. Subsections have only a heading, no summary.
  • Control—the criteria that is executed against one or more devices to produce a result of pass or fail.

Assign Devices and Device Groups

  • All devices and device groups will be listed as available selections.
  • A device can be assigned to multiple assessments.
  • A device group can be assigned to multiple assessments.