SUMMARY You can create a Policy Monitor question based on IP addresses that detect possible
communication with protected assets. From a risk perspective, it is important to know which users
within your organization can communicate with critical network assets.
JSA Risk Manager accomplishes this task by creating a Policy Monitor question based on an asset
test for possible communications.
You might look at all the connections to the critical server over time, but you might be more
concerned that regional employees are not accessing these critical servers. To accomplish this goal,
create a Policy Monitor question that looks at the topology of the network by IP address.
- Click the Risks tab.
- On the navigation menu, click Policy Monitor.
- From the Actions menu, select New.
- In the What do you want to name this question field, type a name for the
question.
- In the What type of data do you want to return drop-down list, select
Assets.
- From the Evaluate On drop-down list, select Possible
Communication.
- From the Importance Factor drop-down list, specify a level of importance
to associate with your question.
- In the Time Range section , specify a time range for the question.
- In the Which tests do you want to include in your question section,
double-click to select have accepted communication to destination asset building
blocks.
- In the Find Assets that section, click asset building
blocks to further configure this test and specify Protected
Assets.
Note: To define your network remote assets, your remote assets building block must be
defined.
- In the Which tests do you want to include in your question section,
double-click to select the restrictive test and include only the following IP
addresses.
- In the Find Assets that section, click IP
Addresses.
- Specify the IP address range or CIDR address of your remote network.
- Click Save Question.
- Select the Policy Monitor question that you created for protected assets.
- Click Submit Question.
- Review the results to see whether any protected asset accepts communication from an unknown IP
address or CIDR range.
-
Monitor your protected assets by putting the question into monitoring mode. If
an unrecognized IP address connects to a protected asset, then JSA Risk Manager
can generate an alert.