This month we look at risk and policy management tools and we have a lot of them for your consideration.
Enterprise risk management is a continuous process. It begins with setting objectives and identifying risks. Once the risks are identified, they should be assessed to understand how to treat them. Risks can either be controlled or eliminated. In either case, there needs to be some way to communicate the risk picture and continue monitoring. That continued monitoring may illuminate additional risk objectives - and new strategy needs to be set starting the cycle over again. Risk management tools provide a platform on which to perform this risk management cycle.
Policy management, on the other hand, is not quite as clearly defined. In some cases, policy management refers to the supervision of an organization's security policies derived from risk management, regulatory requirements and other types of input. In other cases, it refers to how policy is applied, managed and updated to devices. It is not uncommon to see these types of applications in the same product. However, policy management, like risk management, is a continuous process. And, no surprise, the two - policy and risk management - are tied together because policy is intended to address risk.
Typically, conventional wisdom tells us that the first task in creating an enterprise architecture is to perform a risk assessment. Once the risk assessment is complete, one needs to create policies to address the risks. So, if one has a need for a secure enclave, such as an online banking system, he admin will address the risks inherent in such a system, create policies that address the risks and then design an architecture that addresses those risks.
Now that an architecture is in place, one can begin to populate it with tools. However, at this point, the admin will find that the tools need to be configured to implement and enforce the policy also must be configured with its own policies - although these really are settings that enforce or implement policy - and these need to be kept current. Current with what? Well, the policy, of course. Risk drives the policies, so as risks change policies - both in the abstract (the organization's written security policy) and in the concrete (configuration policies), policies need to change. For a big enterprise, all of that can be daunting.
That is where our tools enter the picture. It has long been my position that both these two types of tools are necessary to manage an enterprise's security properly. The big problem - and one that user organizations and vendors alike have been struggling with for years - is how do you make this work for all but the largest organizations.
I am aware of an organization that needs what these tools offer. Some years back, they purchased a pricey but well-thought-of tool and went through training, configuration, transferring policy, etc. Part way through the process they decided they did not have the resources to get the job done right, and they shelved the initiative. The tools we reviewed this month can go a long way toward keeping that sort of thing from happening in the future.
So, the bottom line: If yours is a medium to large enterprise, managing policies, risks and various attendant configurations is a real issue. Most likely, if you haven't implemented an automated approach, you are struggling to keep everything configured, policies aligned with requirements and risks measured and managed as new ones come over the horizon.
Automated risk and policy management is a major step if one wants to make the most of human resources, instead of marshaling these workers to manual tasks that never resolve.
Are these tools pricey? Some may be, but this is like any other security product. Look closely at what is needed to accomplish and either make it fit your pocketbook or start lobbying for a bigger one. In the long run, though, the savings through automating these tasks will be significant enough to justify their purchase.
Michael Lipinski and Mike Stephenson contributed to this month's Group Test.