Pentana Checker for Information Security
$400 per year (2 users)
Very thorough standards-based analysis and very quick reporting.
Documentation could have been simpler, but the developer says they will take this on board for the next release.
A very worthwhile tool to speed up overall security policy auditing.
This software is very much aimed at the auditing and information security industry and those that work within that field. It is basically a tool to audit information security in an automated fashion.
The main purpose of the software is to provide a checklist for assessing the state of information security within an organization and offering a knowledge base for continual assessments in accordance with the international standard for information security ISO17799.
The application works using a software engine, which is fundamentally an intelligent questionnaire, as it works by using tailored questions that can eliminate other questions deemed inappropriate. This all depends on the exact scope and type of system under review.
Installing the application was straightforward. On launch it brings up the console, from where a client file may be created or re-launched. It was difficult to see how many client files could be created but apparently this number depends on the size of the hard disk of the machine on which it is installed.
Once a new client file is launched the main task of answering all the questions can be undertaken. This can be very time consuming, not because there are any problems with the software (this appears to be a very well thought out piece of kit), but because there are just so many questions to answer.
The first section asks what systems are under review, what risks are attached to the system, whether disclosure of information is harmful, the depth of the review, and whether all or selected aspects of information security are going to be reviewed.
We decided to perform a thorough audit. Just about every question could be answered on a scale of one to five. Anything below three is flagged up for later investigation.
After finishing the audit one can pick up on problem answers for further examination and resolution. A further filter can be applied to show problem answers by different standards organizations. The application was very quick to display this information despite the lengthy nature of the questionnaire.
The package also includes graphical analysis options which are very clear to interpret and give a good overview of areas of security that need more attention. There is a further option to compile a report of the audit. Again, this is very quick to fire up and can be filtered to show different results.