eWeek - June 7, 2010

PCI regulations, I would click on that item and get a summary report showing how many items were passing or failing, as well as the scores for departments affected by that particular collection of regulations. I could also drill down to examine specific departments, such as legal, to see whether they were in or out of compliance.

Learning the lingo

I found that the toughest parts of using Risk Manager were learning the jargon that appears in the product and getting a handle on the product’s moving parts as I began creating test business processes with associated controls.

With that said, the documentation included with Risk Manager did provide me with enough information to get up to speed with the various metrics used to assemble an overall security posture, along with the compliance scores for particular risk factors, such as physical perimeter security or e-mailing private customer data.

Each control point—such as one for assessing desktop physical security—is assigned a series of survey questions that are sent to the various staffers involved.

As the surveys are completed, the overall security posture index score is calculated and presented in a summary screen that also shows historical trends, the particular compliance regulations referenced for that posture and which departments are subjected to that particular set of regulations.

Once you learn your way around,
there is another steep learning
curve to conquer before you can
start generating useful reports and
understanding your compliance
landscape. Risk Manager is meant
to serve as a comprehensive tracking
device across many disciplines and
functional areas of the corporation.

However, to put together meaningful, effective policies, IT managers must spend time making sure they completely understand their organizations and their business processes.

You also can conduct assessments that are geared toward meeting particular compliance regulations, such as HIPAA, or rules relating to your external-facing Web applications. You can keep track of who ran the assessment and when, as well as its current stage of completion.

You can build fairly complex criteria for screening particular users, networks or other objects, which Lumension calls subjects. For example, you can set up a way to limit the PCI guidelines to external wireless contractors.

As you might imagine, a product of this complexity needs a solid search engine to allow the user to find something quickly, and search is available from any screen by clicking on a small icon at the top right.

For example, I could search for
every control that has “vendor
defaults” in its description and
then click on the relevant result.

New in Version 4.1

Lumension has added several new features in Version 4.1. First is the ability to better define remediation projects. Scores get assigned to a project more easily by simply right-clicking on them and adding them to a project. You can also search for users to see which projects they’ve been assigned, or search through your Active Directory listing and assign them from there.

When projects are complete, the software automatically does an assessment, which is presented via an e-mail notification to the security team to be validated. This makes it easier for users to manipulate projects without a lot of navigating around the software’s menus.

E-mail notifications have been beefed up too. They are more event-driven and are tied to particular workflows. Also, you can monitor particular applications and specify when a score is below a certain level and how often you wish to receive e-mail.

Finally, the software continues to work with vulnerability scanning and patching vendors and tools— including Nessus, a vulnerability scanning program—to directly integrate their intelligence into Risk Manager’s operations. ;

David Strom is a writer, blogger and speaker with many years of experience in the information technology fi eld.

This story can be found online at: tinyurl.com/36kt7wn

This is a summary report that shows how many items are passing or failing and the scores for particular departments that are affected by the specifi c collection of regulations.