IT Operations Management (ITOM)

Accelerate your compliance by using Policy Import

Accelerate your compliance by using Policy Import


Post written by Doreen Riepel and Joe DeBlaquiere

The number of security and privacy audits and compliance requirements has been increasing over the last few years. This has a significant impact especially on operations in healthcare, banking/finance and government. As a result, there is a need to improve the management of such information through policy-based systems.

A policy is a system representation of a corporate regulatory or government policy, such as PCI, SOX or FISMA. In IT Operations Compliance (ITOC), each policy has a hierarchy of requirements, with each requirement having one or more rules. A complex requirement may need multiple rules to evaluate its compliance. The easiest way to author a policy is to use the policy and compliance content that can be downloaded from HP Live Network. In this way, ITOC will accelerate time to value with out-of-the-box (OOTB) content and assist organizations with managing compliance. Setting up a policy only takes three steps:


  1. Import Compliance Control Library

The Compliance Control Library is the first step in authoring a policy. It includes an array of user-customizable controls to audit and remediate common configurations that pose security and compliance risks on OS platforms and database servers. An example of these common configuration include: local security settings on Windows or RPMs on Linux.        

2. Import OOTB regulatory policies

For all benchmark policies, the corresponding compliance control library is a prerequisite. Once the control library is imported, it is possible to import the OOTB regulatory policies. These provide pre-defined values for audit and remediation according to guidelines such as CIS, PCI, or SOX.

 3. Review imported policies and modify rule parameters

There are some rules which the benchmark suggests setting the value that is consistent with the security and operational requirements of an organization. Such requirements in OOTB policies and the values provided in the audit and remediation parameters are intended only as an example—or as a default value set as per the benchmark recommendation. This is why it might be necessary to edit rules in order to match your organization's criteria and environment.  

 After a policy is created and reviewed it can be tied to a business service. In IT Operations Compliance, this is done in a Statement of Applicability. Now it is possible to run scan or remediation jobs in order to see whether or not the policy is compliant based on the compliance threshold.

You can learn more about IT Operations Compliance here.

  • infrastructure management
0 Kudos
About the Author


Nimish Shelat is currently focused on Datacenter Automation and IT Process Automation solutions. Shelat strives to help customers, traditional IT and Cloud based IT, transform to Service Centric model. The scope of these solutions spans across server, network, database and middleware infrastructure. The solutions are optimized for tasks like provisioning, patching, compliance, remediation and processes like Self-healing Incidence Remediation and Rapid Service Fulfilment, Change Management and Disaster Recovery. Shelat has 23 years of experience in IT, 20 of these have been at HP spanning across networking, printing , storage and enterprise software businesses. Prior to his current role as a Manager of Product Marketing and Technical Marketing, Shelat has held positions as Software Sales Specialist, Product Manager, Business Strategist, Project Manager and Programmer Analyst. Shelat has a B.S in Computer Science. He has earned his MBA from University of California, Davis with a focus on Marketing and Finance.