November 20, 2005
Meta Security GroupProduct:
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Comprehensive regulatory compliance matrices with gap analysis to security policy; easy-to-use object based GUI; wealth of included content.
- Weaknesses: Third-party application integration requires additional consulting services; limited vulnerability management capabilities.
- Verdict: A time saver with encapsulated content, but security and business experts will need to collaborate to maximize effective use of this tool.
There is a range of definitions for “policy management.” For example, some systems enforce security policy via controlling device configurations and network admission controls such as Elemental Security’s Elemental Compliance System or the older Symantec Enterprise Security Manager device policy checker.
But Command Center addresses a different set of issues than just checking device settings. It focuses on three areas of security policy – lifecycle management, awareness and training, and very basic vulnerability management.
The policy lifecycle component consists of content templates, document database, status tracking database and a workflow engine for version control, archiving, and review/approve/audit tracking of every step of the lifecycle.
Two features stood out to us. First, the web-based end-user security awareness and training module provides tracking of user review and acceptance of security policy and end-user security educational material. Second, the regulatory compliance matrices map regulations to policy and processes. Included reports were comprehensive and granular.
In the context of Command Center, policy lifecycle management consists of the entire process that an organization uses to create, review, publish online, update and track security policies and technical standards, as well as track end-user review and acceptance.
It implements a web-based workflow system that provides version control and archival storage to facilitate auditable and collaborative interactions. Document types can be policies, technical standards, device configuration checklists, user quizzes, procedures, and so on.
Once set up, the basic flow is: user creates draft document via templates (or uploads existing document type); uploads drafts into workflow engine; assigns the roles of policy reviewer and approver to users; and tracks review and approves status of drafts via status tracking database.
Once the security document achieves approval status, the user deploys it to target groups/users, and track end-user review and acceptance of policy.
Command Center users receive emails with a secure web link that points to the document requiring their review/approval. They log into Command Center, review, edit and approve the document, and its status is automatically updated, documented and routed to the next person in the process.
Various management reports provide a documented audit trail of all actions taken against the document which can help provide proof of compliance.
From a licensing perspective, Command Center users are those in an organization with oversight of the security policy content and lifecycle, such as security team members and business asset stakeholders. But an awareness and training module is included, targeted at general end-users.
Using a role-based model, many users can be assigned the roles of policy reviewer or approver with special access controls for auditors and functional access based on need-to-know. The visually informative, object-based web user interface provides a top-to-bottom drill-down of the security policy framework, from the top-level charter document to individual policies and technical standards. The contents of all document templates are fully customizable and users can upload an organization’s security policy documents.
One of the biggest factors in maintaining a secure environment is an organizational culture of security awareness, so employees must understand what security role they play, how to perform it and why it is important. To this end, Command Center provides various end-user-focused security quizzes, device configuration best practices and checklist templates for the more technical professional.
From a policy update or deployment perspective, end-users can be notified at login time that there is a new or updated policy for their review. The user must then review and tick a checkbox to confirm that they have read the policy.
Command Center tracks not only the user check-off, but also whether the user’s web browser has viewed the policy page.
Vulnerability management capabilities include system profile-based vulnerability alerting, remediation task tracking and live vulnerability feeds from US-CERT and SecurityFocus.
If you need a solution to help you build and manage a corporate security policy and awareness framework, or directly link regulatory requirements to your security process, procedures and policies, then Command Center is worth a look. Whether building from scratch, enhancing what you may already have, or jump-starting a security policy program to meet specific regulations, Command Center helps streamline implementation and help you retain and prove your compliance.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry