In the government world, the concept of verification and validation (V & V) is important. It should be in your enterprise as well. This month we look at two aspects of V & V: policy management and vulnerability assessment. Policy management puts you in the driver's seat by allowing you to enforce policy and validate for the regulators that you are doing exactly that. Vulnerability analysis verifies that your enterprise is, indeed, as free from vulnerabilities as practical. The bottom line is that by managing policy, you manage threats. By managing vulnerabilities as well, you also manage impacts. Thus, you manage risk. And, perhaps most important in today's business environment, you are proving that you are managing those risks.

Unfortunately, managing risks in a large enterprise is difficult, complicated and time-consuming. Proving that you are doing what needs to be done in that regard may be even more difficult. The tools that we look at this month can help you in this regard.

Policy management tools let you set policy and enforce it. Since policy is the underpinning of all good security practice, this is pretty important. Vulnerability analysis and assessment tools help verify that your policies are, indeed, being enforced.

Additionally, we found that the line is blurring between vulnerability assessment and penetration testing. Some of the products we looked at did both to a greater or lesser degree. This is, in my view, an indication of the maturing process in this product class.

Policy management still has a way to go in its maturity cycle, but it is moving very fast – driven, of course, by regulatory pressures. While our group was a bit small this year, it was solid.

Overall, this was an interesting month – something old and something new, so to speak. Old friends in the vulnerability assessment group showed growth and maturity, while the upstarts in the policy management group offer the promise of better managed security in the enterprise.