Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Risk and Policy Management

2007 Readers' Choice Awards Risk, policy, configuration and vulnerability management

GOLD | Tripwire Enterprise

Price: Not provided by Tripwire

Information security professionals have to deal with more than traditional Internet threats. More than ever, they're evaluating and managing risk from a business perspective, which means vulnerability management tools touted for risk management use just won't cut it. Security managers need tools that can keep tabs on incremental changes to the network that could cause irreparable damage.

That's part of what David Lewis, head of security at the Independent Electricity System Operator (IESO) in Ontario, Canada, was looking for in a tool to help with risk and policy management processes. His organization chose Tripwire Enterprise, the Readers' Choice gold medal winner for risk and policy management.

A longtime Tripwire customer, Lewis has used Enterprise at IESO for approximately seven months. He says it's easy to use, and enjoys that it's Web-enabled and provides tiered-access control.

While many enterprises mitigate risks once they are discovered, with Tripwire, security staff can act proactively and assess and correct problems. Tripwire monitors files, directories, registry settings, directory server objects and configuration files on file and directory servers and network devices, in real time.

Security managers will also appreciate Tripwire's "reconciliation techniques" that map to any organization's change policies. These techniques use multiple acceptance criteria, change categories and conditional change actions, making it easier for policymakers to ensure that an authorized person implemented a change and that the change occurred within a defined time period.

Its online dashboards and reports can also be customized for any environment to show status and history across an enterprise.

Lewis says one major draw of Enterprise is its ability to take the guesswork out of monitoring the system, a feature that will appeal to multitasking managers charged with investigating and mitigating enterprise risks. Readers gave Tripwire Enterprise high marks for its granular and flexible policy management definition capabilities, and for its ability to identify policy violations and understand security risks.

SILVER | Symantec Control Compliance Suite

Price: $1,000 per server

Readers gave high scores to Symantec's Control Compliance Suite's granular and flexible policy management definition capabilities, for its ability to identify policy violations and for its integration capabilities with applications and devices.

The suite automates compliance measurement and displays pass/fail scores against regulations and frameworks, giving management an accurate reflection of how systems hold up to regulatory mandates. The product also offers guidance for addressing noncompliant servers and workstations when violations are detected. The suite is available on multiple platforms, enabling managers in heterogeneous environments to visually assess and mitigate complex compliance issues.

BRONZE | Altiris SecurityExpressions

Price: $895 per server node

Altiris SecurityExpressions provides enterprises with a scalable agentless or agent-based configuration management solution that readers say is easy to use and offers strong trend reporting. It allows organizations to audit desktops, laptops and servers for compliance with security configuration policies. Systems can be audited on connection, as well as on schedules.

Readers touted its ability to identify policy violations, granular and flexible policy definition capabilities and solid return on investment. The product includes customizable policy files from organizations like NIST, CIS and SANS, and policy files for industry regulations such as SOX, FISMA and HIPAA. Altiris was recently acquired by Symantec.

In the trenches

Assessments, people problematic in managing risk

Security managers must stave off risk with comprehensive assessments.

"With big risks come big rewards" doesn't hold true for security managers, for whom big risks are a recipe for big failures. And, while risk factors differ between markets, the challenges and best practices for maintaining a risk management strategy are surprisingly similar.

"Risk management is an essential component to the information security officer; you can't secure things you don't know about," says Stan Gatewood, CISO at the University of Georgia.

Security managers say documenting risks is one of their greatest challenges.

"Risks aren't solely confined to technical operations; there are often compliance and other esoteric risks to consider," explains Ernie Hayden, CISO for the Port of Seattle.

Budget constraints are also commonly cited as pain points, especially for government-funded institutions, whose employees are often asked to do more with less.

People can be problematic, too. "Complacency is often a factor. Many believe in a 'if it ain't broke don't fix it' attitude, making it hard to move from a reactive to a proactive mindset," Gatewood says.

So what can be done to reduce the risk of data loss? For those who have the budget, use products that not only help manage risk but offer a good ROI.

Nick Garbidakis, CIO/CTO for the American Bible Society, uses Ecora Enterprise Auditor.

"Without this kind of system, someone has to go through every server and update manually. The system makes sure everything is updated and gives us reports. Before, we were reactive to issues. The reports show us who was in systems, what happened overnight. It enables us to be more proactive," he says.

Those who don't have the budget can start investigating policies and standards, like NIST 800-30, COSO and ISO 27001, to provide guidance for risk assessments.

Once a risk assessment has been conducted, CISOs should be able to classify risk types and define acceptable risk levels. The next step is education at every tier.

"I conduct seasonal brown-bag seminars that employees can voluntarily attend," says Hayden.

For upper management, provide quantifiable data and position yourself as an expert in the field, recommends Gatewood. "This means doing your homework, putting on the glasses, reading about risk management and how it applies to your sector."

Equally important, Hayden says, is to respect and trust senior management, regardless of what they do with the information gathered; they may know something you don't that may contribute to business failure.

Finally, keep abreast of security issues.

"Bad guys are getting sophisticated, and technical controls aren't as strong as they used to be. Therefore, we need to think through all risk factors," says Hayden.

Article 15 of 21

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All