Polivec Compliance Management System 3.7
Price: $25,000, plus $600/server
In the pressurized regulatory compliance environment that's escalated security to a boardroom priority, organizations that already have a firm grasp on policy creation, auditing and enforcement are best positioned to meet the challenge. They don't look for silver-bullet answers, but for tools that simplify compliance management and control costs.
Polivec Compliance Management System (CMS) 3.7 is that kind of tool. It combines natural language compliance policies and an intuitive Web-based reporting interface with robust vulnerability, configuration management, and auditing and reporting capabilities. Its completeness is a reflection of Polivec's eight-plus years of developing complex software specifically designed for compliance with the plethora of regulations, including HIPAA, GLBA, ISO 17799, FISMA, European Privacy Directive and SOX.
Polivec's information security policies are impressive in breadth and usage, and are based on standards (such as ISO 17999 and COBIT), regulations and best practices from CERT, NSA, SANS and NIST. Organizations can import existing policies and link them to the CMS engine using Polivec's XML-based Policy Description Language. The natural language policy interface -- rules like "passwords should not be less than eight characters" and "all logs from security-generated events must be stored" -- is actually driven by Microsoft Office 2004 XML-tagging functionality. XML-based automated rules are easily created and embedded with the aid of graphical wizards.
Policy creation is one thing; linking the policy to information about the current state of systems across your enterprise is another. CMS uses both agent-based and agentless (admin credential login) technology to monitor and audit systems for a broad range of settings, such as patch level, account security, password policy, audit logging, file and directory security, remote access and allowed services for Windows and many *nix systems.
The agentless scans are adequate to gather most system configuration information from target systems, but the small-footprint agents are the primary engine for flexibly and efficiently gathering information across large numbers and types of systems and incorporating it into CMS's Oracle database. Asset inventory and organization can be based on Active Directory objects and/or groups defined through the CMS console. Policies can be defined by group, and audits can be scheduled or executed on demand globally or by asset group. Organizations can establish continuous monitoring for systems or applications, with risk alerts based on asset value and vulnerability level.
The reporting engine is the payoff for status-checking, remediation and audit preparation. Performing gap analysis through the comparison of applicable policy and information in the database, CMS delivers technical summaries and high-level trends and analyses, with more than 100 default reports. Custom reports can be generated through Crystal Reports and can be exported in PDF.
Executive-level summaries of system compliance can be based on regulation, IP address, geographic location, operating system and organizational breakdown, and can be customized with pie charts or bar/line graphs.
Technical reports cover the status of individual systems, regulation rules and configuration management.
CMS also provides an educational module that provides a workflow to disseminate policy.
It's a standout among software products designed to solve the business challenge of enterprise regulation compliance. CMS's unique and holistic approach to fully automating policy design, enforcement and reporting process offers real value at the right price for all-sized organizations.
About the author
James C. Foster, Fellow, is the Deputy Director of Global Security Solutions at CSC. Foster has contributed to more than 15 books and has held executive positions at Foundstone, Guardent and the U.S. Department of Defense.
This review orginally appeared in the May 2005 edition of Information Security magazine.