Policy, Standards, Regulations & Compliance
Compliance Product Recomendation Jul 27 2007 01:46PM
aversetoriskman hushmail com (1 replies)
RE: Compliance Product Recommendation Sep 02 2007 04:40PM
Tony UcedaVelez (tonyuv versprite com)
I know I'm late to this thread, but hopefully this reply can serve some
others in the community.

I can share what I feel is a good methodology for selecting a compliance or
auditing tool. I would begin by first determining my entire compliance
landscape. By that I'm referring to both internal and external compliance
obligations that must be fulfilled. On the external side this may range
from SOX to PCI and everything in between. For internal compliance, this
may relate to an ongoing struggle to achieve ISO certification or CIS Level
1 Benchmark, etc. The point is that these compliance objectives should be
listed and ranked. Why? Well, because not all compliance objectives will
realistically be fulfilled and if they are over the course of years, the
amount of resources invested will be far from equal amongst compliance

Referring back to external compliance, anyone can list what external
regulatory impacts apply to the business of the organization, but in
reality, compliance efforts mostly focus on areas that truly have some
degree of near future accountability on the horizon (i.e.-annual SOX
readiness efforts, looming HIPAA audit by Joint Commission, or necessity to
become PCI compliant by timeframe X. These more clearly defined compliance
efforts should be categorized by whether or not they will be repetitive
compliance efforts (SOX would be always unless the organization decides to
go private) or if they are a single and isolated or infrequent compliance
efforts. The same would go with internal compliance. Internal compliance
initiatives maybe multiple; with desires to align the organization with one
set of standards while still maintaining some degree of alignment with
another, etc, etc. Hopefully, from this exercise, a prioritize compliance
ranking of real regulatory objective plan will ensue and then the shopping
can begin for a strategic tool that will help automate the data collection,
categorize and maintain findings, as well as facilitate remediation.

A lot of good points have been made already from the other contributors to
this post, namely being that there is no single tool to do everything and
that tools tend to be a bit one or two sided, with limited multi-tiered
functionality (software, hardware, network, etc). However, I will say that
overall, from a standpoint of security vendors, the best overall response,
service, and often times product is from a smaller, up and coming vendor.
For those security enthusiast firms especially, when you can see that their
product embellishes their commitment to the industry versus simply a
product-for-profit approach, that's where you see the greatest return on
security investment (ROSI). Thus far, I've had success in subscribing to
this theory as smaller firms that truly believe in the necessity to secure
and not simply comply have developed some pretty cool stuff. One of which is
Gideon Technologies SecureFusion product (www.gideontechnologies.com). This
product is built on a service oriented architecture approach that has proven
successful in integrating with many other security applications in order to
create a unified picture of risk for the enterprise. Essentially this is a
modular product that uses agent-less scanning technology to discover
information assets. These assets range from software, to hardware, to
network, etc. Related back to compliance, it has the ability for a user to
define an internal baseline policy if you will and have the portal
automatically determine if discovered vulnerability, configuration, and
policy gap analysis findings have triggered issues of non-compliance. It has
various pre-defined templates for both internal and external compliance
reporting so a different type compliance picture can be reported for PCI
versus GLBA, etc. Doug's suggestions made in an earlier thread reference a
couple of different tools that are truly great but have their own individual
swim lanes of usefulness with integration being left up to the user to
figure out. Many of the tools that have started in a niche, such as TripWire
(change management/ incident response) and/ or Qualys (Vulnerability
Management) are seeing opportunities in the enterprise security tool market.
This makes me a bit leery compared to others who have begun in that market
and sensed the need for a toolset to unify everything. If such a solution
is work your looking for, I'd put Gideon Technologies on your list. I
myself have used and seen some of the other products from some of the bigger
players (Symantec who bought Bindview's Compliance Suite) and McAfee who has
leveraged off of Foundstone's compliance products. Wasn't nearly as
impressed, especially considering the price point and there was also the
fact that these tools didn't adhere to an SOA architecture so future
integration would have to be, at best, a visit from professional services.

Hope this helps and sorry for the late post.

Tony UcedaVélez, CISM, CISA, GIAC
Managing Partner
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv (at) versprite (dot) com [email concealed]
(web) www.versprite.com
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of aversetoriskman (at) hushmail (dot) com [email concealed]
Sent: Friday, July 27, 2007 9:47 AM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: Compliance Product Recommendation

I work for a large financial services company in the mid-west and
am new to compliance and risk management. I have been tasked with
identifying a range of products I should budget for next year to
solve the security compliance needs in my company. I think these
include PCI, HIPAA and GLBA as well as SOX.

Can anyone recommend any products and or approaches to evaluating
tools? Its seems there are lots on the market, many of which seem
to magically help me assess compliance so I am a little skeptical.

Thanks in advance.

Click for military loan, fast & no lender fee, approval today

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus