This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
However, we didn't need to. Archer ships with a stock policy that is pre-mapped to a large number of regulatory frameworks. Given Archer's roots in the financial services sector, we were not surprised to see some relatively specific requirements such as FTC 16 CFR Part 314 (GLBA) and the FFIEC Information Security Booklet. We were, however, pleasantly surprised to also find more general guidance, such as COBIT and ISO 17799 (although they still need to update the numbering), as well as specific guidance for other regulated industries, such as HIPAA for healthcare and PCI for retail.
Although the stock policies are quite comprehensive, most firms will need to modify them to reflect their own requirements. We found this process a bit counterintuitive. The editing function allows you to directly modify the policy supplied by Archer, but you're better off avoiding that and using Archer's somewhat kludgy alternative.
The problem is that Archer's periodic updates to the stock policy (as well as the mapping to the regulatory frameworks) will overwrite any custom changes you make to the stock policy directly. Archer recommends
| that instead of modifying its policies, you create a new policy statement with customized text, link it to the stock policy, and update your firm's views to display the new statement. The stock statements live on--just out of view of the users.
The upshot is you will need to periodically revisit your custom policy to ensure that it reflects updates, such as changes to regulatory requirements.
Nevertheless, exceptions are easy to create and relatively straightforward. You simply select a control to associate with the exception and enter information along with compensating controls to address the issue. The workflow allows exceptions to go from user entry to information security review and keeps track of approvals and timeframe for expiration.
The risk management feature is straightforward. You assign risk to entities entered via the asset module and score them according to a number of different risk vectors. For example, we used the asset module to create a new application and assigned an initial business criticality weight as well as risk profile (high, medium or low.) From there we were able to apply questionnaires to the asset to determine how it performed relative to items of interest, such as whether cryptography was employed.
This was first published in June 2008