In the July 2003 Information Security magazine cover story, IT risk assessment: Using security resource planning products to improve, we evaluated three security resource planning (SRP) products based on the key criteria listed below.
Framework/approach. Each SRP vendor has a different framework and varied approach to managing risk. The usage and processes that map inherently to the application will help the organization integrate a solution into its environment to evaluate risk levels, apply controls and remediate vulnerabilities.
Risk measurement. Measuring risk, even in a basic way, allows enterprises to identify those areas that require protection and prioritize the workload. Vendors should provide some level of risk measurement, whether it's at a general level (high, medium, low) or more quantitative and specific. Measurement aids in risk evaluation and follow-up assessment of remediation activity.
Content and knowledge management. The ability to capture and distill public security information--alerts, patch updates, etc.--allows an enterprise to justify its approach to regulatory compliance. These vendors may provide content from public sources or their own research, along with a strategy for incorporating this information into the application functions.
Asset and vulnerability identification/discovery. It's critical to identify the assets being protected and their current vulnerabilities. These products may integrate with third-party tools, provide their own version of open-source software, and/or accept data from multiple sources. Vendors use this function to maintain a foundation of asset and vulnerability information.
Task management. After risk is assessed and regulations are mapped to control requirements, the real work begins. A vendor must be able to make task assignments and manage the remediation process to completion to actually reduce risk. Managing tasks in a cohesive way has been a fleeting exercise; these vendors all aim to automate the process.
Dashboard and reports. Risk management is a C-level concern. These solutions provide reports about exposures from the most technical level to the high-level dashboard. Vendors vary in their ability to provide charts and reports and trending capabilities. This ability ensures that the CISO gets accurate information as it is summarized.
Pete Lindstrom is research director for Spire Security and a member of Information Security's editorial advisory board.