)
in the policies list, only the assigned assets may be edited. Create a compliance policy based on your organization's compliance needs, and assign relevant asset groups to the policy. Once the policy is in place, you can apply the policy to saved compliance scan results to identify whether hosts are meeting compliance requirements.
A policy is a collection of controls pertaining to one or more technologies in your environment. Technologies include operating systems (i.e. Windows 2003) and applications (i.e. Oracle 9i). Each control includes a statement of how the technology specific item should be implemented and one or more checks performed by the service to validate the control.
The privilege to create policies is available to all Managers and Auditors.
Note that you can also import compliance policies into your account. See Import Compliance Policy from Library and Import Compliance Policy from XML for details.
1. Select Policies from the left menu, under Tools.
2. Go to New > Policy.
3. In the Set Technologies pop-up, select one or more technologies that apply to this policy and click Done. (Note that you can add more technologies and remove technologies at a later time within the Policy Editor.)
The Policy Editor appears.
4. Add these components to the policy:
• Policy Title. Provide a unique title for the policy. The title can contain a maximum of 250 characters.
• Cover Page. (Optional) Add a cover page to the policy. The cover page is included when you view and print the policy and in policy compliance reports.
• Technologies. Make changes to the technologies that you've selected for the policy. You can add more technologies and remove technologies.
• Sections. Group controls into sections to provide structure to your policy. For example, you may want to organize controls into sections based on control categories like "Access Control" and "Network Security". Add as many sections as you like and put those sections in any order.
• Controls. Add the controls that you want to analyze for compliance and set the required value for each control. Note that you can add controls directly into specific sections of the policy.
• Assign Assets. Assign relevant asset groups to the policy.
5. Click Save.
Follow the steps below to make changes to policies. For locked policies,
indicated by a gold lock ()
in the policies list, only the assigned assets may be edited.
1. Select Policies from the left menu, under Tools.
2. Identify
the policy you want to edit, and click 
.
3. For an unlocked policy, you can make changes to the various policy settings: add/remove technologies, add/remove controls, group controls into sections, add a cover page and change assigned assets. For a locked policy, you can only make changes to the assigned assets.
4. Do one of the following:
• Click Save to save your changes.
• (Unlocked policy) Click Save As to save a copy of the policy with a new name.
• (Locked policy) Click Create New Policy to create a new policy based on this policy. The new policy will not be locked so you can make changes to the policy settings.