Feature

GRC Tools Help Manage Regulations

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."

Download it now to read this article plus other related content.

Compliance
We evaluated how these GRC products might facilitate compliance efforts by determining how they can help organizations understand, record and document where and how they meet specific regulatory requirements. How do they help you author policy, map regulatory requirements to policy, and, in turn, map specific technical controls to that policy? We also looked at the ability to create highly granular policies. For example, can you map a specific technical control on a particular server all the way back to the driving requirement for that control?

We created test policies and attempted to link those policies to both the regulatory requirements as well as technical controls used to implement the governing policy. In other words, can you actually use the tool to track compliance activities, track the implementation of technical controls specifically required by the regulation, and track the operation of those controls in the field.

Risk Management
Analyzing business risk is tough enough, but regulatory requirements add a layer of complexity that is fueling the market for specialized tools. Think of your own environment, where the data required to determine what risk applies to a particular set of devices, applications or processes is probably spread throughout the company.

For example, in order to understand what

    Requires Free Membership to View

risk applies to a legacy system that doesn't support a particular control, you need to know what the system does, how it's used, what compensating controls might be in place and what systems are dependent on it. Typically, that means getting data from the business, IT, external parties (such as service providers) and the compliance department.

A tool that can automate this process and preserve the information gathered in a central repository is essential to conduct formal risk analyses. To this end, we looked at the ability of the products to help gather data about particular systems/processes and their relative risk, evaluate that risk and put it in context. A key related area is the products' ability to record and track areas of the firm where technical controls could not be implemented, as well as features that analyze the level of risk associated with those exceptions.

Technical Controls
Finally, we considered how products manage the many technical controls that firms might be interested in from a compliance and governance perspective. We assumed from the get-go that different products would have varied ways to monitor controls. For example, a product might use an agent on the remote host to periodically poll the device, and/ or import data from other sources, such as vulnerability assessment tools to gain information about the status of system and application controls. The bottom line: Does the product provide enough information and the right kind of information to be of real use?

Methodology




CLICK HERE for the targeted
functionality of this analysis (PDF).

This was first published in June 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: