Manage Your Policies

The following section provides a series of questions related to policy management, it addresses various aspects of managing policies effectively.

Creating and Managing Policies

The following section describes how to create a new policy and export the policies.

Create a New Policy

Go to PA > Policies > New > Policy. Then choose one of these options: 1) start with an empty policy and build it from scratch, 2) create a policy based on scan data from an existing host, 3) import a policy from our Library or 4) import a policy from an XML file. We will walk you through the steps.

Your new policy is active by default, meaning it is available for scanning and reporting from the time it is created. To create an inactive policy, simply clear the Activate this policy check box, and the new policy will be saved as inactive. You can activate it later.

Want help configuring your policy? See Using the Policy Editor

Export the Policies

By exporting a compliance policy to XML or CSV, you can easily share the policy with other users. Users can import policies that are in XML format into their subscriptions. Learn more about Export your Policies.

Activating and Deactivating Policies

This section covers the process of deactivating and activating a policy. It outlines how to deactivate a policy, what occurs once it is deactivated, the steps to reactivate a policy, and what happens when a policy is reactivated.

Activate a Policy

Go to PA > Policies and identify the policy you want to activate. Then select Activate from the Quick Actions menu.

Activate policies option under Quick Actions dropdown menu.

You can also activate a policy, by first selecting the policy to be activated and then under Actions drop-down, select Activate.

Activate option selected under the Actions Dropdown menu.

Users with SCA accounts can activate or deactivate Policies.

Deactivate a Policy

Go to PA > Policies and identify the policy you want to deactivate. Then select Deactivate from the Quick Actions menu.

Deactivate policies option under Quick Actions dropdown menu.

You can also activate a policy by first selecting the policy to be activated and then, under the Actions drop-down, select Deactivate.

Deactivate option selected under the Actions Dropdown menu.

Users with SCA accounts can activate or deactivate Policies.

Effects of Policy Deactivation

Posture evaluation does not take place for the deactivated policy. The policy is hidden from your dashboard, reports, and exceptions. The policy is removed from compliance scorecard reports and from option profiles (with the Scan by Policy option enabled). Any policy report schedules for the policy is also be deactivated.

Policy Re-Activation Overview

Posture evaluation resumes, and the policy is available again for scanning and reporting. You need to manually reactivate the report schedules; however, the policy is pre-selected for you. You also need to manually add the policy back to your scorecard reports and option profiles.

Identifying and Understanding Policy Status

Identify Active and Inactive Policies

You can easily identify the policy status by the following icons: Active Policy Icon means Active Policy and Inactive Policy Icon means Inactive Policy.

Icons indicating active and deactivated policies.

Policies Evaluation

Policies are always evaluated when new scan results are processed for hosts in your policy. You can also start policy evaluation when saving changes to a policy by clicking Evaluate Now before clicking Save. You can also evaluate policies anytime by clicking Evaluate from the policies list. You can see the date and time of the last policy evaluation in the preview pane of the policies list.

It is recommended to click Evaluate Now while saving a policy after making any changes that impact the posture, such as:

  • Adding or removing controls
  • Adding or removing a technology at the policy or the control level
  • Adding or removing an asset group
  • Updating an expected value

Failing to click Evaluate Now might result in inconsistent posture data. This is because the posture data for assets associated with removed controls, technologies, or asset groups may not be deleted immediately. The data is deleted when the policy evaluation takes place during the next scan or policy processing triggered by a change in the asset group or UDC.

Working with Locked Policies

Locked Policies in the Library

Our library includes locked policies for testing compliance against specific CIS benchmarks. These policies have been reviewed and certified by CIS (the Center for Internet Security). When a policy is locked, you can add hosts to the policy but you can't make any other edits.

During the import you have the option to import the locked policy as unlocked. This lets you remove the editing restrictions.

Lock your Policy

This prevents others from editing it. Policies locked by a user can be easily identified by this icon Locked Policy Icon  Learn MoreLearn More

  •  Locked policies cannot be edited, however they are still available for reporting. Policies must be unlocked to enable editing.  
  •  Only Managers and Unit Managers have permission to lock a policy.  
  •  Managers can unlock any policy, but Unit Managers can unlock only the polices locked by them.  
  •  Policies that are locked while importing and SCAP policies cannot be locked or unlocked.

Tell me the steps.

Go to your policies list and choose the action you want to take from the Quick Actions menu - Lock or Unlock.

Use the Actions menu to take action on multiple policies in one go.

You can also do this from within the Policy Editor.

View Locked Import Policies

Policies that are locked at import can be identified using the icon >.

To view only the policies that are locked at import, on the Policies page, click Filters > Locked at Import.

Only the policies that were locked during import are displayed.

Search for Locked Policies During Import

To view only the policies that are locked at import, on the Policies page, click Search > select the Locked at Import checkbox > Search.

All the policies that are locked at import are displayed.

Deleting and Updating Policies

The following section describes deleting and updating policies, including the implications of having a new version of a policy available in the Policy Library.

Delete Policies

When you delete a policy, the policy will no longer be available for scanning and reporting. For compliance policies, any exceptions created for the policies will also be deleted. For SCAP policies, results for scans run with the policies will be deleted. Once a policy is deleted it is not recoverable. You may consider deactivating a policy instead of deleting it. 

To proceed with deleting a policy, go to PA > Policies and select the policy you want to delete. Then choose Delete from the Actions menu above the list. When the confirmation window appears, choose Delete again to proceed.

When are stale PA technologies/instances deleted?

Stales PA technologies/instances are deleted in any of the following three cases:

  • On performing a full scan for Agent or Scanner, the results display two technologies/instances, indicating that both are commissioned and functioning. Later, on running another full scan, the results displayed only one technology/instance. This is because the second technology/instance may have been decommissioned and thus is no longer included in the results. In such cases, the decommissioned technology/instance is considered a stale PA technology/instance andPAs deleted. This stale deletion of PA technology/instances is done for all types of middleware technologies.
  • When performing a Scan-By-Policy (SBP) scan, for Scanner, you set a specific time period in the Inactive Purge Instance settings (Policy Audit > Scan > Setup > Inactive Purge Instance), for each technology/instance after which it is to be considered as stale. The results for the SBP scan display a certain number of technologies/instances. If a particular technology/instance does not appear in the scan results for the specified time period, it is considered a stale technology/instance and is deleted.
  • When performing a full scan in Scanner, it is required to create authentication records for each technology/instance to be displayed in the results. If there are no record for a technology/instance, it will not be displayed in the scan results. But when an Agent scan is performed, there is no requirement for authentication records. So, consider a scenario wherein a full scan is executed and only 1 instance is displayed in the results, as we have only 1 authentication record. Then again, an Agent scan is executed, and this time 2 instances are displayed in the result. Before, the extra instance from the Agent scan that did not show in Scanner results was deleted, but now both are retained.

Policy Update Notification

The older version will be removed from the Policy Library and the newer version will be available for import to your subscription.

Any policies already imported to your subscription will remain in your subscription unless removed by a user. 

To view and select policies from our Library, go to PA > Policies > New > Policy > Import from Library.

 

© Qualys, Inc. All rights reserved. Privacy Policy.