Requirement
|
Comply Level
(Fully compliant, Partialy Compliant, non-complient)
|
1) Vulnerability Scanning
|
|
a. Support vulnerability identification for all operating systems, Databases, Services, …
|
|
b. Support Vulnerability identification for all client applications, like Adobe product family, Apple product family and …
|
|
c. Support scheduled and policy based vulnerability scans (customized scan settings and schedule for different asset groups)
|
|
d. Scanning module should have load scan templates
|
|
e. Ability to define/import custom vulnerabilities
|
|
f. Scan results should be kept in our database in our datacenter
|
|
g. Possibility of offline update of vulnerability signatures
|
|
h. Automated Asset discovery feature
|
|
i. Possibility to rank asset value
|
|
j. Possibility to get integrated by Asset Management System
|
|
i. Ability to import and export list of assets
|
|
ii. Ability to get updates from Asset management system
|
|
k. The system should differentiate newly identified assets after each scan
|
|
l. Possibility of grouping assets
|
|
m. Ability to relate vulnerabilities and assets and asset groups
|
|
|
2) Risk Management Function:
|
|
a. Prioritize risks based on criticality of vulnerabilities and asset value
|
|
b. Ability to customize the risk calculation formula is a nice to have feature
|
|
c. Have a risk dashboard
|
|
3) Compliance Checking
|
|
a. Support assessment of systems against well-known security best practices including CIS, NIST and DISA.
|
|
b. Support assessment against customized configuration settings and creating customized configuration from available best practices. Ability to assign different configuration policies to different asset groups.
|
|
c. Customized configuration which allows considering the compliance ranks in Risk measures is a nice-to have feature
|
|
d. Support incident management for non-compliant systems/items
|
|
|
|
4) Customized Reporting
|
|
- Ability to have customized reports with flexibility on filtering based on all system items, including but not limited to assets, asset groups, risk, vulnerability remediation status , configuration items (in compliance checking), …
|
|