Risk and policy management
With an ever-evolving list of compliance regulations, automation goes a long way to alleviating mundane tasks – and it's never been simpler, says Peter Stephenson.
This month we look at risk and policy management tools, and we have a lot of them for your consideration. A good first step is distinguishing what we mean in both cases. One thing that we noticed this year is that some functionality is spilling over into configuration and vulnerability management tools.
Enterprise risk management is a continuous process. It begins with setting objectives and identifying risks. Once the risks are identified, they should be assessed to understand how to treat them. Risks can either be controlled or eliminated. In either case, there needs to be some way to communicate the risk picture and continue monitoring. That continued monitoring may illuminate additional risk objectives – and new strategy needs to be set, starting the cycle over again. Risk management tools provide a platform on which to perform this risk management cycle.
Policy management, on the other hand, is not quite as clearly defined. In some cases, policy management refers to the supervision of an organisation's security policies derived from risk management, regulatory requirements and other types of input. In other cases, it refers to how policy is applied, managed and updated to devices, such as firewalls. It is not uncommon to see these types of applications in the same product. However, policy management, like risk management, is a continuous process and the two are tied together because policy is intended to address risk.
Typically, conventional wisdom tells us that the first task in creating an enterprise architecture is to perform a risk assessment. Once this is complete, one needs to create policies to address the risks. So, if one has a need for a secure enclave, such as an online banking system, the administrator will address the risks inherent in such a system, create policies that address the risks and then design an architecture – network and security – that addresses those risks.
Now that an architecture is in place, one can begin to populate it with tools. However, at this point, the administrator will find that the tools need to be configured to implement and enforce the policy, which must also be configured with its own policies, although these really are settings that enforce or implement policy, and these need to be kept current. Risk drives the policies, so as risks change – both in the abstract (the organisation's written security policy) and in the concrete (configuration policies) – so policies need to. For a big enterprise, tracking and implementing all of that can be daunting.
That is where these tools enter the picture. It has long been my position that both these two types of tools are necessary to manage an enterprise's security properly. The big problem – and one that user organisations and vendors alike have been struggling with for years – is making this work for all but the largest enterprises. I am aware of an organisation that needs what these tools offer. Some years back it purchased a pricey but well-thought-of tool and went through the pain of training, configuration and transferring policy to it, etc. Part way through the process, it decided it did not have the resources to get the job done right, and it shelved the project and the product. The tools reviewed here can go a long way to stopping that sort of thing from happening in the future.
So, the bottom line: if you lack an automated approach, you are probably struggling to keep everything configured, policies aligned with current regulatory requirements and risks measured and managed as new ones come over the horizon. Automated risk and policy management really is a major step if one wants to make the most of human resources, instead of marshalling them to manual tasks that never seem to complete.
Michael Lipinski and Mike Stephenson contributed to this month's group test.
The following reviews are the products that scored most highly. For the full range of reviews from the SC group test, go to: www.scmagazineuk.com/group-test/section/332