Ensuring continuous compliance of security and regulatory policies
                     BigFix Compliance
Ensuring continuous compliance 
of security and regulatory 
policies
The number of security threats that compromise endpoints and cause business level damages have been continually growing. With an 
ever more mobile workforce and new cloud initiatives, the very nature of the endpoint is changing. Along with it, heightened regulatory 
concerns put additional burdens on over stretched IT groups. 
BigFix® Compliance provides unified, real-time visibility and policy enforcement to protect complex, highly distributed environments. 
Designed to dramatically reduce compliance reporting overhead as well as enforce compliance to standards, BigFix Compliance can 
help organizations both protect endpoints and meet security compliance requirements and policies. 
This easy-to-manage, quick-to-deploy solution supports compliance initiatives for highly diverse environments —from servers to 
desktop PCs, mobile Internet-connected laptops, virtual servers, cloud based systems, as well as specialized equipment such as 
point-of-sale devices, ATMs and self-service kiosks. Its low impact on endpoint operations can enhance productivity and improve user 
experience. By constantly enforcing policy compliance wherever endpoints roam, it helps reduce risk and increase audit visibility. Its 
intelligent agent’s speed and efficiency provide continuous compliance with automated audit cycles measured in minutes versus weeks.
Highlights
• Continuously enforce compliance to industry security benchmarks or standards such as CIS,  DISA STIG and PCI for endpoints 
virtually running any OS, in any location with automatic remediation of configuration drifts back to compliance baselines
• Over 20,000 out-of-the-box compliance checks are continuously updated to current standard, which dramatically reduces the 
need for compliance expertise and the effort to put all endpoints in compliance.
• Track and report compliance historical trends across security configuration, patch and vulnerability, to assess endpoint security 
risk and demonstrate compliance progress over time
• Monitor and manage the deployment status and health of leading third-party Endpoint Protection solutions
• Manage and distribute patches to all endpoints, regardless of OS, location, connection and type
• Support compliance controls for Windows 10 and macOS clients without agents via BigFix Modern Client Management
• Speed vulnerability remediation by automating the manual correlation of vulnerability data from external sources with BigFix 
Insights for Vulnerability Remediation.
Continuous Compliance Delivering a broad range of powerful 
BigFix’s continuous compliance technology virtually eliminates security functions
visibility and compliance gaps. Continuous compliance puts 
rules and enforcement at the endpoint and loops through all BigFix Compliance includes the following key functions without 
assigned polices without pausing, ensuring the endpoint is adding additional infrastructure or implementation costs:
always in a compliant state. 
Device discovery
With BigFix Compliance, device discovery is no longer a snapshot 
counting exercise. Instead, it creates dynamic situational awareness 
about changing conditions in the infrastructure. The ability to scan 
the entire network frequently delivers pervasive visibility and control 
to help ensure that organizations quickly identify all IP-addressable 
devices—including virtual machines, network devices, and 
peripherals such as printers, scanners, routers, and switches, in 
addition to computer endpoints—with minimal network impact. This 
function helps maintain visibility into all endpoints, including mobile 
laptop and notebook computers that are roaming beyond the 
organization’s network.
Patch management
In contrast, traditional point-in-time management solutions Patch management includes comprehensive capabilities for 
“check in” at unpredictable times, reducing viability, creating delivering patches for Windows, UNIX, Linux and, macOS and for 
gaps and increased risk due to noncompliant systems. These third-party vendors, including Adobe,  Mozilla, Apple, and Oracle, to 
gaps can be caused by: distributed endpoints—regardless of their location, connection type 
or status. 
•  Disconnected endpoints which are off network 
A single management server can support up to 250,000 endpoints, 
•  Critical patches released on Patch Tuesday may take days shortening patch times with no loss of endpoint functionality, even 
 or weeks to deploy and validate over low bandwidth or globally distributed networks. Virtual patch 
management capabilities enable offline patching, making stale 
•  Complete patch status reporting may take days or weeks virtual machine images a thing of the past. Real-time reporting 
provides information on which patches were deployed, when they 
•  End user-initiated changes effecting security compliance were deployed, and who deployed them, as well as automatic 
confirmation that patches were applied, for a complete closed-loop 
Because of continuous compliance, BigFix can commonly solution to the patching process.
deliver 99% compliance across the enterprise.
BigFix Compliance capabilities Security configuration management
Out of the box, BigFix Compliance provide an extensive list of 
BigFix Compliance provides many important capabilities checklists developed based on authoritative security benchmarks 
which include: published by CIS, DISA STIG, USGCB, PCI DSS. The checks in a 
checklist can be easily customized to support an organization’s 
• Providing a real-time and automatic assessment to security security policy. Once a checklist is applied to an endpoint, BigFix 
configurations, continuous enforcement of security policies, and continually evaluates the endpoint’s security configurations against 
effective remediation of configuration drifts -- all supporting the deployed checklist. Compliance status is also continually 
continuous compliance of self-healing endpoints across more collected and reported to the BigFix Server. Any configuration drift 
than 60 operating systems and applications. can be identified quickly and an administrator can remediate the 
configuration issue remotely. With such a powerful approach of 
• Supporting out-of-the-box security checklists based on industry monitoring, reporting, and remediating security configurations 
best-practice security benchmarks such as the Payment Card across the entire IT environment,  an organization can enforce 
Industry Data Security Standard (PCI DSS), Center for Internet endpoint security policies, minimize security risks, and effectively 
Security (CIS), and Defense Information Systems Agency reduce endpoint management costs.
Security Technical Implementation Guides (DISA STIGs).
• Managing and distributing patches to all endpoints for a variety 
of operating systems and software applications. Compliance analytics
• Tracking, analyzing and reporting on policy compliance status The compliance statuses of all endpoints against deployed policies 
and historical trends, across three key security domains — are continually collected, aggregated, and reported using a powerful 
security configuration, patch, and vulnerability. Compliance Analytics engine, database and user interface in BigFix 
Compliance. Various compliance reports, showing both current 
• Monitoring and managing the deployment status and health of status and historical trend for the entire deployment or individual 
various third-party endpoint protection solutions such as endpoint, provide comprehensive analytics to meet the various 
anti-virus and anti-malware tools. needs of security, IT operation, or compliance teams. With 
• Scanning the entire network for all IP-addressable devices to Compliance Analytics, an organization is able to track the 
discover any endpoints that are not managed by BigFix. effectiveness of its compliance effort and quickly identify security 
exposures and risks. Compliance Analytics provides consistent 
• Interrogating endpoints with a Query tool and predefined or reports across all three security domains: Security configuration, 
user-created queries and get precise answers back in seconds. Patch and Vulnerability. 
• Quarantining systems through the BigFix agent itself, isolating 
the target from the network while maintaining control and Security configuration reporting 
visibility through the BigFix agent for remediation.
For all the security configuration checklists deployed across the 
• Integrating with other market leading security solutions to entire environment using BigFix Compliance, Compliance Analytics 
provide deeper endpoint intelligence, identify risks, and provides various reports to show both current status and historic 
remediate vulnerabilities more effectively. trend for individual endpoint, individual checklist, or even individual 
check. An aggregated compliance posture for the entire 
Having a near real-time, visibility across the organization, BigFix is deployment is also provided to report the overall status and 
indispensable when combating zero-day threats. With BigFix, the progress toward the desired security configuration policies. 
remediation cycles are short and fast, which enables an industry- 
leading, rapid-response for address Security issues.
Quarantine of non-compliant systems 
Many organizations need to strictly control how endpoints can 
access the corporate intranet, based on endpoint status or 
configuration against a predefined policy. For example, an 
endpoint cannot access the intranet unless it has the latest 
security patch installed or has the latest virus definition used by 
its anti-virus tool. BigFix Compliance provides a self-quarantine 
capability, so if an endpoint is discovered to be out of compliance 
with an endpoint compliance policy, the endpoint is placed in 
network quarantine until compliance is achieved. A quarantined 
endpoint can still be managed by BigFix so that it can be 
remediated, but all other network access is disabled.
Security Configuration Reporting
Endpoint inspection
Patch reporting BigFix Query provides real-time status of all your endpoints, 
enabling accurate identification and inspection of vulnerable 
Patch reporting extends the analytics and reporting capabilities of devices through a user-friendly web interface. You can interrogate 
BigFix Compliance from security configuration to security endpoints and get precise answers back in seconds, telling you 
patching. This feature allows an organization to gain a which policies are enforced and which applications and services 
comprehensive and historical view of patching activities across are installed. You can even examine files and system configuration 
the entire deployment to assess the overall patching posture. It settings to help you identify additional security threats. Users can 
can enable more efficient prioritization of vulnerability use a library of predefined queries or quickly and easily create 
remediation by identifying the critical and high severity patches their own custom queries. BigFix Query also verifies the 
that are yet to be applied. It also tracks when each patch is remediation of endpoints, helping to bridge the gap between 
released and applied to each endpoint to help organizations security and IT operations to choose the right technology for their 
demonstrate compliance with regulations/policies and pass environment.
Payment Card Industry Data Security 
Standard (PCI-DSS) compliance
The BigFix Compliance Payment Card Industry (PCI) Add-on is 
designed to help with the enforcement and compliance reporting 
needed to satisfy the latest PCI-DSS requirements. Specific 
PCI-DSS configuration and policy compliance checks, as well as 
specialized dashboards, simplify the monitoring and reporting of 
PCI compliance, and the capability to continuously and 
automatically manage system configuration and currency 
improve endpoint security and integrity. Together, these 
capabilities can protect organizations from the malicious or 
unintentional loss of confidential customer and financial 
Patch Reporting information while lowering operational and security 
administration costs. This can prevent the negative publicity, legal 
Vulnerability reporting and financial impacts of a payment card data breach.
BigFix Compliance Vulnerability Reporting focuses on tracking 
and reporting of endpoints’ vulnerability posture as a result of 
patching actions, enabling organizations to more broadly identify 
risks and demonstrate compliance. This vulnerability reporting 
feature provides significant value to the organization by 
providing:
• Risk Posture Assessment: A Security Operations Center 
Manager or Security Analyst can get the current status, 
historical trend and details of vulnerabilities of various 
severities existed on each endpoint or across the environment.
• Remediation Task Prioritization: An IT Operations Specialist 
can get more information to help more effectively prioritize 
patching actions to maximize the impact to the vulnerability 
posture change.
• Vulnerability Compliance Demonstration: A Compliance 
Specialist can report how vulnerabilities have been Example PCI DSS Requirement Compliance
remediated by patching actions to demonstrate compliance 
with specific regulatory or organization policies. Multivendor endpoint protection 
management
This feature gives administrators a single point of control for 
managing third-party endpoint security clients from vendors such 
as McAfee, Symantec, Trend Micro, Sophos, and Microsoft. With 
this centralized management capability, organizations can 
enhance the scalability, speed, and reliability of protection 
solutions. This feature monitors system health to ensure that 
endpoint security clients are always running and that virus 
signatures are updated. In addition to providing a unified view of 
disparate technologies, it facilitates migrating endpoints from one 
solution to another with “one-click” software removal and 
reinstalls. Closed-loop verification ensures that updates and other 
changes are completed, including Internet-enabled verification for 
Vulnerability Posture Overview endpoints disconnected from the network.
Analytics and reporting Unlike complex tools that cover a limited portion of 
endpoints, the unified architecture of BigFix can effectively 
Organizations need to quickly report their organization’s threat manage and ensure compliance of all servers, desktops, and 
posture to executives and perform advanced analysis to drive next mobile devices whether they are in the office, at home or in 
steps. BigFix Insights provides a powerful endpoint and integration the cloud. BigFix can find and fix endpoints faster than any 
platform and database for deeper data insights across traditional other solution – delivering greater than 98% first-pass patch 
on-premise, cloud, and MDM API managed endpoints. BigFix Insights success rates.
leverages Business Intelligence (BI) reporting tools to provide 
out-of-the-box and customizable reports. BigFix Insights is included BigFix integrates with leading vulnerability management 
with BigFix Compliance. solutions like Tenable and Qualys to dramatically reduce the 
time required to remediate vulnerabilities. It also extends its 
Vulnerability remediation well-established endpoint management capabilities to AWS, 
Azure, and Google clouds, enabling organizations to use a 
Currently it can take days or weeks for IT Operations to remediate single solution to manage multiple clouds and on-prem in a 
vulnerabilities after a vulnerability scan, exposing organizations to consistent manner.
potential attacks. BigFix Insights for Vulnerability Remediation 
automates the typically manual correlation of vulnerability data from The unique approach of BigFix, coupled with thousands of 
Tenable or Qualys with remediation Fixlets available within BigFix. out-of-the-box security checks, will enhance your security 
Using BigFix Insights for Vulnerability Remediation, organizations can posture and automate the fight against ransomware and 
speed remediation of endpoint vulnerabilities across the enterprise by other cyberattacks.
compressing the time from vulnerability assessment to remediation; 
dramatically reduce errors from spreadsheet-based, manual 
processes; and improve an enterprise’s security posture by reducing 
the attack surface across the fleet of endpoints. BigFix Insights for The BigFix Family 
Vulnerability Remediation is included with BigFix Compliance.
BigFix is the only endpoint management platform that enables 
Modern client management IT operations and security teams to fully automate the 
discovery, management and remediation of vulnerabilities and 
Organizations are deploying Windows 10 and macOS endpoints assets – for every endpoint, whether its on-prem, virtual, cloud 
across the enterprise at an accelerated pace. Both operating systems or mobile– regardless of operating system, location or 
are capable of being managed using either a traditional agent or connectivity.
Mobile Device Management (MDM) APIs. Leveraging both approaches 
together provides the greatest range of management and automation BigFix empowers businesses and organizations to find more, 
capabilities. BigFix Modern Client Management allows organizations fix more and do more, faster.
the ability to manage both modern and legacy endpoints side-by-side 
using a single, enterprise endpoint management solution. BigFix The BigFix family includes:
Modern Client Management is included with BigFix Compliance.  
•   BigFix Lifecycle to automate endpoint lifecycle manage-
Integration options ment by enabling software and operating system deploy-
ment, continuous compliance, self-service software catalog, 
BigFix is integrated with other IT security solutions to extend its power management, server automation, and vulnerability 
functionalities and provide deeper endpoint intelligence, identity risks, remediation
and remediate vulnerabilities more effectively. For example, BigFix is 
tightly integrated with Security Information and Event Management •   BigFix Compliance to continuously monitor and enforce 
(SIEM) solutions such as IBM QRadar; Endpoint Detection and endpoint security configurations and ensure compliance 
Response (EDR) solutions such as Carbon Black; and Network Access with regulatory or organizational security policies using 
Control (NAC) solutions such as Forescout. thousands of out-of-the-box compliance checklists. 
Prerequisites •   BigFix Inventory to discover and manage over 100,000 software titles, reduce software license costs and mitigate 
security risks of unauthorized software.
The prerequisites for BigFix Compliance are available online at 
help.hcltechsw.com/bigfix/landing/index.html. •   BigFix Insights unifies and analyzes data from BigFix and 
third-party solution providers with deep analytics, new 
business processes, and powerful reporting.
Why BigFix?
•   BigFix Mobile extends modern endpoint management 
The HCL BigFix endpoint management platform helps IT Opera- capabilities to iOS and Android devices.
tions with Continuous Compliance and Intelligent Automation to 
manage over 100 operating system versions, enabling stream- Visit www.hcltechsw.com/bigfix/offerings/products for more 
lined management processes, tool consolidation and operational information.
cost reduction. .
For more information
To learn more about BigFix, contact your HCL Software representative, HCL Business Partner, or visit www.BigFix.com.
About HCL Software
HCL Software, a division of HCL Technologies (HCL) develops, markets, sells, and supports over 30 product families in the areas of Customer Experience, 
Digital Solutions, DevSecOps, and Security and Automation. HCL Software is the cloud native solution factory for enterprise software and powers millions of 
apps at more than 20,000 organizations, including over half of the Fortune 1000 and Global 2000 companies. HCL Software's mission is to drive ultimate 
customer success with its IT investments through relentless product innovation.
© Copyright 2021 HCL
All product names, trademarks and registered trademarks are property of their respective owners.
072021