Operating Systems, Databases and Network Devices comes with their own set of configurations i.e. security configurations, system configurations, network device configurations and etc. Some of the organizations practice is to have a checklist of policy compliance for those OS, Database and network devices before the system goes live. This is to ensure those systems / devices are hardened before they are placed in a production environment. This is different from vulnerability scanning as policy compliance audit determines if a system is configured in accordance with an established policy. The organization will later have a working idea on the type of configuration parameters, security settings and sensitive information that are crucial and needs to be audited. This can be the setting of the logs, the security settings, password policies and etc.
Firmus will perform the Policy Compliance Assessment by adopting mainly on Center of Internet Security (CIS) as the benchmark. If in case an organization does not have their own policy compliance checklist, Firmus will use CIS checklist for that organization.