This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
These questionnaires targeted specific controls that have an impact on the overall risk of the application and include factors like vulnerabilities, cryptographic controls, access control, and so on. The responses to the questionnaires fit directly into the overall risk ascribed to the application. The workflow ensures that appropriate personnel review the submission and are alerted if it is completely noncompliant.
In navigating and using SmartSuite, we found the Archer community to be head and shoulders above what you typically get with a vendor knowledge base or other support portal. The community allows users to interact with each other, ask questions of the Archer engineering team, and receive extensive training on use and configuration of the product.
Monitoring technical controls is also less automated than some of the competition. Archer provides instructions on how to create linkages between automated vulnerability assessment
| tools (e.g., Qualys), but automated vulnerability assessments may not give you the whole picture. There's little out-of-the-box integration of additional tools, such as other vulnerability assessment scanners, IPSes, SIEMs, etc., but you can use the flexible API to allow custom data consumption applications to be written using feeds from files/databases, etc.
One nice feature lets you correlate information from a number of threat publication sources, such as Verisign iDefense and Symantec DeepSight, in addition to custom entry of threat data.
While Archer is heavy on policy management, Control Compliance Suite 8.60 (CCS) has a deep focus on the management and monitoring of technical controls, providing quite a bit of functionality to assist in tasks like network discovery, automated validation of host technical configuration, and so on.
The software can be installed in standalone or enterprise mode, depending on whether you intend to host the database on the same box as the information server or use a different box for the database. Additionally, enterprise mode is required if you intend to make use of the Web portal integration with Microsoft IIS. We installed the product in enterprise mode, as this allowed access to the Web portal and supported a remote database and remote data collection.
This was first published in June 2008