But the reality is that no single product is going to produce a report at the press of a button that will make your auditor go away any faster. Let's take PCI DSS as an example. PCI DSS consists of 12 different requirements, roughly seven or eight could be reported on by a comprehensive SIM environment. But things like policies and physical access are not readily pumped into a reporting engine.
Many compliance software products today emphasize managing people and processes rather than technology. So these tools will have self-surveys and other ways to document some of the softer issues around compliance, rather than just pulling information from firewall and IPS logs.
Additionally, you need to find leverage in this environment. One of the key aspects that you should be looking for is a comprehensive mapping of security controls to regulations. Something like a firewall or access control will apply to things like HIPAA, GLBA and PCI DSS. There is no use in having to report on all this information separately, so there should be a research team behind the product that will keep these mappings up to date.
For more information:
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.