Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

[Contents][Glossary][Index][Back][Next]

2.3 Managing security policies

The security policies needed in the client security control system are set by the administrator.

A security policy consists of a judgment policy, which defines conditions for evaluating client security and sets associated security levels, and an action policy, which defines the actions to be implemented for each security level.

Each judgment policy an each action policy is assigned to each client. Policies are defined and assigned using the Security Policy Management windows of JP1/CSC - Manager. For details about these windows, see 6. Managing Security Policies.

Organization of this section
(1) Judgment policies
(2) Action policies
(3) Assigning security policies to clients

(1) Judgment policies

In a judgment policy, the administrator can set security levels associated with parameters for determining client security levels, such as whether Windows security updates have been applied and whether anti-virus products have been installed. These parameters for determining client security levels are called judgment items.

The judgment items of a judgment policy are as follows:

The administrator must first decide which of these judgment items to use in determining client security levels, and then set judgment conditions for each item. The conditions can refer to security updates, anti-virus products, or software that must be installed on the client, and to user-defined judgment items optionally set by the administrator. After setting the judgment conditions, the administrator defines the client security level associated with each condition.

The following figure shows an overview of judgment policies.

Figure 2-3 Overview of judgment policies

[Figure]

Two methods are provided to set judgment policies:

For details about how to set judgment policies in the Security Policy Management window, see 6.2 Managing judgment policies. For details about how to use the command to set judgment policies, see cscpolimport (updates judgment policy settings) in 15. Commands.

Judgment policies can be preset in a variety of patterns. Alternatively, the administrator can customize the default judgment policy provided by the system.

Judgment policies relating to security updates and anti-virus programs can be updated automatically to the latest definitions. This process is described next.

(a) Automatic update of judgment policies for security updates

Patch information for judgment policies relating to security updates can be updated automatically by using the patch information files collected by Job Management Partner 1/Software Distribution. Patch information files contain information about patches provided by Microsoft. This feature applies to patch information for Windows and Internet Explorer.

To update patch information for judgment policies, execute the judgment policy update command for security updates (cscpatchupdate). When the administrator executes this command, the judgment policy definitions for security updates are updated automatically according to the contents of the patch information file. For details about the judgment policy update command for security updates (cscpatchupdate), see cscpatchupdate (updates patch information for judgment policies relating to security updates) in 15. Commands.

To use this feature, Job Management Partner 1/Software Distribution must be set up to acquire patch information files. For details about acquiring patch information files, see the manual Job Management Partner 1/Software Distribution Description and Planning Guide, for Windows systems.

The following figure shows an overview of automatically updating judgment policies for security updates.

Figure 2-4 Automatically updating judgment policies for security updates

[Figure]

For details about how to automatically update judgment policies for security updates, see 6.3.3 Automatically updating judgment policies for security updates.

(b) Automatic update of judgment policies for anti-virus products

Judgment policy definitions for an anti-virus product can be updated automatically by linking with the anti-virus product and collecting the latest update information for virus definition files and the engine version. You can also impose a delay between the acquisition of the latest information about the anti-virus product and the automatic update of the judgment policy definition by setting a grace period.

Update information for anti-virus products can be acquired either from the inventory information for the specified client or by linking to JP1/CSC - Manager Remote Option on a remote management server.

For details about the system configuration when update information for anti-virus products is acquired from the inventory information for the specified client, see 3.1(2) System configuration for automatically updating judgment policies for anti-virus products. For details about the system configuration when update information for anti-virus products is acquired by linking with JP1/CSC - Manager Remote Option on a remote management server, see 3.1(3) System configuration with a remote management server.

The following figure shows an overview of automatically updating judgment policies for anti-virus products.

Figure 2-5 Automatically updating judgment policies for anti-virus products

[Figure]

Automatic update applies to anti-virus products supported by JP1/Software Distribution. For details about these anti-virus products, see 4.6 Installing anti-virus products that link with automatic judgment policy updating.

For details about how to automatically update judgment policies for anti-virus products, see 6.4.6 Updating judgment policies for anti-virus products automatically or manually.

(2) Action policies

In an action policy, the administrator can define what actions to implement on clients for each security level.

The following actions can be set for each of the four security levels (Danger, Warning, Caution, and Safe):

Different actions can be set for each security level. For example, the administrator can specify that a message be sent to the user if a client's security level is Warning, or that the client be disconnected from the network when its security level is assessed as Danger.

The following figure shows an overview of action policies.

Figure 2-6 Overview of action policies

[Figure]

Action policies can be preset in a variety of patterns. Alternatively, the administrator can customize the default action policy provided by the system.

(3) Assigning security policies to clients

After defining judgment and action policies, the administrator can assign them to clients. Clients can be assigned different policies.

The following figure shows an overview of assigning policies to clients.

Figure 2-7 Assigning policies to clients

[Figure]

You can assign policies using the Security Policy Management window of JP1/CSC - Manager or by executing the policy assignment command (cscassign).

For details about policy assignment in the Security Policy Management window, see 6.13 Assigning security policies to clients. For details about policy assignment by command, see cscassign (assigns security policies to clients) in 15. Commands.

Every client is assigned a default judgment policy and a default action policy in advance.
Reference note
Default policies are assigned whenever a new client is configured in the system. If you add a client after starting operations with your client security control system, assign policies that the user has defined to the client as required.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated