CSA - How to create polices based on standards such as HIPPA?

Unanswered Question
Nov 13th, 2008

I'm needing to create polices for the standards listed below. Will you point me in the right direction?



EAL or Common Criteria


Sarbanes-Oxley (SOX)


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
sadbulali Wed, 11/19/2008 - 15:18

A policy is a collection of rule modules. A rule module is a collection of rules. The rule module acts as the container for these rules while the policy serves as the unit of attachment to groups. Machines with similar security needs are grouped together and assigned one or more policies that specifically target the needs of the group.When you are creating rules for your rule modules, targeting the needs of machine groupings is central to your overall security plan. You can base these security needs on various criteria. For example, the concerns you have for your web servers may require you to group them separately from your mail servers based on the types of policies each set of servers require. Therefore, you could place your web servers into a common group, create rules that protect those servers from having their cgi files and html files written to (for example), and then attach the policy that contains these rules to the web servers group.


jan.nielsen Fri, 01/23/2009 - 16:22

I know that for PCI there is actually a pre-defined policy you can get from your local Cisco partner, just ask them to get it from the Cisco Security SE, this can then be imported and you can apply those rules/policies to your hosts. For the other types of regulatory policies you are pretty much on your own, but CSA is flexible enough for you to create rules that can follow almost any regulatory compliance standard that dictates host security in some way.


This Discussion