GRC Tools Help Manage Regulations


This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."

Download it now to read this article plus other related content.

Symantec's Strengths
At first, we were a bit skeptical about the policy creation interface (not the prettiest interface we've ever seen), but using it to write policy was straightforward despite the initial awkwardness.

We were able to author policy, import existing policy from Microsoft Word documents and approve publication to the CCS Web portal. The tool supports a policy authorship workflow in much the same way Archer does, allowing us to defer publication until approval and to keep a recorded archive once a new version is created.

Surprisingly, we found ourselves missing the kind of stock policy supplied by Archer. Symantec has a number of sample policies (templates), but we found that importing our own policies or creating new policies from scratch using the policy import and creation tools took less time than customizing the templates.

One feature that really stood out was the flexibility provided to map policy to the compliance frameworks and regulations CCS provides. The mechanism is a mapping editor that's reminiscent of the relationship manager feature of Microsoft Access. Though it took us a while to figure out how to use it, the mapping editor provides tremendous flexibility in making connections between policy, framework and regulatory items. The ability to see these relationships visually had a definite "cool

    Requires Free Membership to View

factor." Of course, while this is a flexible approach, it requires a bit of manual interaction to maintain. An enterprise seeking to make heavy use of the policy portion of this tool would require more ramp-up time to get ready for full deployment.

CCS is very strong on technical controls. The product ships with a large number of technical standards packs that can be used as a benchmark against which to compare devices that it is aware of. The standards packs draw on familiar source material, such as NSA configuration guides and the CIS configuration benchmarks.

The technical information-gathering feature supports a very large number of devices for remote profiling. CCS can use an agent or agentlessly retrieve data across a diverse range of platforms, such as various Windows versions and multiple flavors of Unix and Linux.

This was first published in June 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: