Security Posture Score Report

This report provides information about the security parameters that are configured in the Commvault environment. Users can add new controls and features to improve the overall management security. You can view the parameters categorized based on the status by selecting the status tab available at the top of the page.

The column in each section of the Security posture score report includes the following information:

Status: The current status of the parameter, including whether the parameter is in the Good, the Info, or the Warning status.
Parameter: The name of the security setting, the feature, or the option in the Commvault environment.
Current setting: The security setting that is currently configured in the Commvault environment.
Recommendation: The recommended configuration for the security setting within the Commvault environment.
Remarks: A message about the status of the parameter. You can view the information about the feature or the setting from the link that either opens the related document or a related report.
Actions: You enable or perform other applicable actions for the parameter using the Action button . After updating security settings, you must wait until after the next data collection process runs to view any changes in the Security Assessment report.

To view this report, in the Security IQ Dashboard, in the Security Posture Tile, click View Your Security Posture.

The following are the categories under which the parameters are grouped:

Audit trail

The Audit Trail table displays the duration of the Audit trail events retained, information about security cleanup, and user and user group permission reports. The audit trail information is managed by Commvault.

Parameter	Description
Audit trail	The information about the duration of the audit trail details preserved for Critical, High, Medium, and Low severity events.
Security Cleanup Report	This parameter displays the number of unused entities in the CommCell environment and provides a link to the Cleanup Report. The Cleanup Report displays the names of each unused entity in the CommCell environment, such as the users and the user groups, that might need to be deleted. Entities that are listed include the following: User Groups Without Any Users User Groups Without Any Security Associations Users Not Logged In More than 30 Days
User and user group permissions report	This parameter provides a link to the User and User Group Permissions Report. The User and User Group Permissions Report displays the name of each user in the Master User Group, the roles assigned to each user, the permissions assigned to each user, and whether the Master User Group is enabled or disabled.

Parameter

Description

Audit trail

The information about the duration of the audit trail details preserved for Critical, High, Medium, and Low severity events.

Security Cleanup Report

This parameter displays the number of unused entities in the CommCell environment and provides a link to the Cleanup Report.

The Cleanup Report displays the names of each unused entity in the CommCell environment, such as the users and the user groups, that might need to be deleted. Entities that are listed include the following:

User Groups Without Any Users
User Groups Without Any Security Associations
Users Not Logged In More than 30 Days

User and user group permissions report

This parameter provides a link to the User and User Group Permissions Report.

The User and User Group Permissions Report displays the name of each user in the Master User Group, the roles assigned to each user, the permissions assigned to each user, and whether the Master User Group is enabled or disabled.

Authentication and Authorization

The Authentication and Authorization table displays the information about the parameters providing controls for user access and their access level to back up data in the Commvault environment.

Parameter	Description
Failed login lockout count	The number of failed log-on attempts that are allowed before the user is locked out. This is managed by Commvault in accordance to AC-7 in NIST 800-53 publication. The default value is set to 3 failed login attempts.
Account lockout duration	The duration the account is locked after exceeding the failed login count. The default value is set to 30 minutes.
Delete authorization	An indication of whether Delete authorization is enabled in the Commvault environment. When the Delete authorization is enabled then additional administrative approval is required. The approval request is sent via email to all the administrators, and the request can be approved or denied by any other administrator. You must have a secondary tenant administrator account to use Delete authorization feature. The Delete authorization supports server deletion, mount path deletion, job deletion and plan deletion. If this feature is enabled, then the tenant administrator will not receive the email notification and also, it cannot be disabled.
Restore authorization	An indication of whether the Restore authorization is enabled in the Commvault environment. When the Restore authorization is enabled then additional administrative approval is required. The approval request is sent via email to all the administrators, and the request can be approved or denied by any other administrator. You must have a secondary tenant administrator account to use Restore authorization feature. If this feature is enabled, then the tenant administrator will not receive the email notification and also, it cannot be disabled.
Password complexity level	The complexity level that is configured for password requirements for users in the CommCell environment. There is also an indication of whether the Check Password Complexity workflow is enabled.
Multi-factor authorization	An indication of whether multi-factor authentication is enabled in the CommCell environment. If this feature is disabled, you can view the documentation about multi-factor authentication. In the Action column, click Enable.
Single sign-on	An indication of whether single sign-on providers are configured in the CommCell environment. To view the Single Sign-On Report, which lists the single sign-on providers that are configured in the CommCell, click the link.
Command Center timeout period	The number of minutes that the Command Center is configured to wait before logging out an inactive user.
CommCell Console timeout period	The number of minutes that the CommCell Console is configured to wait before logging out an inactive user. To view the instructions for configuring the timeout period, click Change.

Hardening

Parameter	Description
Windows MediaAgent with admin shares	Indicates the number of MediaAgent with Windows administrative shares enabled, which can add security risks to your environment.

Security Control

The security control table displays information about backup data security control.

Parameter	Description
Key Management	Displays the the third-party key management used in the Commvault environment.
Storage with encryption	An indication of whether the storage is encrypted. Commvault encrypts storage by default.
Compliance Lock	To protect data from retention policy changes and prevents malicious or accidental deletion. The Compliance Lock is available only for the companies that have backup storage. The compliance lock provides the following protection: The data, backup destinations, and servers and plans associated with the backup destinations in the locked storage cannot be deleted. It is still possible to delete a plan or reassociate a server to a new plan when the compliance lock is enabled. This is a nondestructive task since backup protected on locked storage cannot be deleted and are recoverable for the retention period that was initially set. The retention period cannot be reduced for the backup destinations. Compliance storage is only supported for user provided storage. The Commvault provided storage cannot enable compliance lock. If this feature is enabled then it cannot be disabled.
Ransomware protection	An indication of whether all mount paths are secured against ransomware. If any mount paths are not secured against ransomware, then the parameter displays the Critical status.
File Activity Anomaly alert	An indication of whether the File Activity Anomaly alert is enabled. If the File Activity Anomaly alert is disabled, then the parameter displays the Critical status.
Key Management Server for Password Encryption	An indication of whether a key management server is configured in the CommCell environment. To view instructions about how to set up a key management server, under Action, click the link.
Disaster Recovery Backup	An indication of whether the DR backup is configured to the Commvault cloud library, the cloud library of the user, or the UNC path. To view instructions about how to enable the DR backup to cloud feature, under Action, click the link.