EXPERT RESPONSE
That's kind of a broad question without a simple yes or no answer. Unfortunately, it depends on what you are trying to do. There are a number of security management products that will gather information about an environment and provide reports that show how specific controls have been deployed. These products usually go under the banner of security information management, but can also come from a log management or a forensics offering.
But the reality is that no single product is going to produce a report at the press of a button that will make your auditor go away any faster. Let's take PCI DSS as an example. PCI DSS consists of 12 different requirements, roughly seven or eight could be reported on by a comprehensive SIM environment. But things like policies and physical access are not readily pumped into a reporting engine.
Many compliance software products today emphasize managing people and processes rather than technology. So these tools will have self-surveys and other ways to document some of the softer issues around compliance, rather than just pulling information from firewall and IPS logs.
Additionally, you need to find leverage in this environment. One of the key aspects that you should be looking for is a comprehensive mapping of security controls to regulations. Something like a firewall or access control will apply to things like HIPAA, GLBA and PCI DSS. There is no use in having to report on all this information separately, so there should be a research team behind the product that will keep these mappings up to date.
For more information:
In this tip, Mike Rothman explains common mistakes in the security product purchase process.
Joel Dubin identifies the several identity management auditing tools on the market, and discusses which products best suit your needs.
|
