This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
We created test policies and attempted to link those policies to both the regulatory requirements as well as technical controls used to implement the governing policy. In other words, can you actually use the tool to track compliance activities, track the implementation of technical controls specifically required by the regulation, and track the operation of those controls in the field.
For example, in order to understand what
| risk applies to a legacy system that doesn't support a particular control, you need to know what the system does, how it's used, what compensating controls might be in place and what systems are dependent on it. Typically, that means getting data from the business, IT, external parties (such as service providers) and the compliance department.
A tool that can automate this process and preserve the information gathered in a central repository is essential to conduct formal risk analyses. To this end, we looked at the ability of the products to help gather data about particular systems/processes and their relative risk, evaluate that risk and put it in context. A key related area is the products' ability to record and track areas of the firm where technical controls could not be implemented, as well as features that analyze the level of risk associated with those exceptions.
This was first published in June 2008