Manage Learn to apply best practices and optimize your operations.

Are there security management products that can track compliance objectives?

Mike Rothman discusses the products available for tracking your corporation's compliance objectives.

Are there integrated security management systems (ISMS) that track against compliance objectives?
That's kind of a broad question without a simple yes or no answer. Unfortunately, it depends on what you are trying to do. There are a number of security management products that will gather information about an environment and provide reports that show how specific controls have been deployed. These products usually go under the banner of security information management, but can also come from a log management or a forensics offering.

But the reality is that no single product is going to produce a report at the press of a button that will make your auditor go away any faster. Let's take PCI DSS as an example. PCI DSS consists of 12 different requirements, roughly seven or eight could be reported on by a comprehensive SIM environment. But things like policies and physical access are not readily pumped into a reporting engine.

Many compliance software products today emphasize managing people and processes rather than technology. So these tools will have self-surveys and other ways to document some of the softer issues around compliance, rather than just pulling information from firewall and IPS logs.

Additionally, you need to find leverage in this environment. One of the key aspects that you should be looking for is a comprehensive mapping of security controls to regulations. Something like a firewall or access control will apply to things like HIPAA, GLBA and PCI DSS. There is no use in having to report on all this information separately, so there should be a research team behind the product that will keep these mappings up to date.

For more information:

  • In this tip, Mike Rothman explains common mistakes in the security product purchase process.
  • Joel Dubin identifies the several identity management auditing tools on the market, and discusses which products best suit your needs.
  • This was last published in December 2007

    Dig Deeper on PCI Data Security Standard

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.