Risk & policy management Group Test | SC Media

Product Group Tests

Risk & policy management

Group Summary

This month we look at risk and policy management tools and we have a lot of them for your consideration.

You can select a maximum of 3 products

thumb for Agiliance RiskVision v6.5 SP1
thumb for Promisec Endpoint Manager
thumb for RedSeal 6 Platform v6.6
thumb for RSA Archer GRC Platform 5.3 SP1
thumb for Rsam GRC v8
Rsam GRC v8
Rating: 5.00
thumb for Skybox View Enterprise Suite v6.5
thumb for Symantec Control Compliance Suite v11
thumb for NetIQ Secure Configuration Manager v5.9
thumb for Modulo Risk Manager v8.1
thumb for AlgoSec Security Management Suite v6.4
thumb for Allgress Insight and Risk Manager v4.1
thumb for Aruvio GRC v2.2
Aruvio GRC v2.2
Rating: 4.00
thumb for Citicus ONE vR.35
Citicus ONE vR.35
Rating: 4.50
thumb for LockPath Keylight v3.0
LockPath Keylight v3.0
Rating: 4.50
thumb for Lumension Risk Manager v4.4
thumb for ManageEngine DeviceExpert v5.9
thumb for Tufin Security Suite R 13-1
thumb for Tripwire Enterprise  and DataMart
CLICK compare selected items for a side by side comparison of products

full group summary

This month we look at risk and policy management tools and we have a lot of them for your consideration. 

Enterprise risk management is a continuous process. It begins with setting objectives and identifying risks. Once the risks are identified, they should be assessed to understand how to treat them. Risks can either be controlled or eliminated. In either case, there needs to be some way to communicate the risk picture and continue monitoring. That continued monitoring may illuminate additional risk objectives – and new strategy needs to be set starting the cycle over again. Risk management tools provide a platform on which to perform this risk management cycle. 

Policy management, on the other hand, is not quite as clearly defined. In some cases, policy management refers to the supervision of an organization’s security policies derived from risk management, regulatory requirements and other types of input. In other cases, it refers to how policy is applied, managed and updated to devices. It is not uncommon to see these types of applications in the same product. However, policy management, like risk management, is a continuous process. And, no surprise, the two – policy and risk management – are tied together because policy is intended to address risk.

Typically, conventional wisdom tells us that the first task in creating an enterprise architecture is to perform a risk assessment. Once the risk assessment is complete, one needs to create policies to address the risks. So, if one has a need for a secure enclave, such as an online banking system, he admin will address the risks inherent in such a system, create policies that address the risks and then design an architecture that addresses those risks. 

Now that an architecture is in place, one can begin to populate it with tools. However, at this point, the admin will find that the tools need to be configured to implement and enforce the policy also must be configured with its own policies – although these really are settings that enforce or implement policy – and these need to be kept current. Current with what? Well, the policy, of course. Risk drives the policies, so as risks change policies – both in the abstract (the organization’s written security policy) and in the concrete (configuration policies), policies need to change. For a big enterprise, all of that can be daunting.

That is where our tools enter the picture. It has long been my position that both these two types of tools are necessary to manage an enterprise’s security properly. The big problem – and one that user organizations and vendors alike have been struggling with for years – is how do you make this work for all but the largest organizations. 

I am aware of an organization that needs what these tools offer. Some years back, they purchased a pricey but well-thought-of tool and went through training, configuration, transferring policy, etc. Part way through the process they decided they did not have the resources to get the job done right, and they shelved the initiative. The tools we reviewed this month can go a long way toward keeping that sort of thing from happening in the future.

So, the bottom line: If yours is a medium to large enterprise, managing policies, risks and various attendant configurations is a real issue. Most likely, if you haven’t implemented an automated approach, you are struggling to keep everything configured, policies aligned with requirements and risks measured and managed as new ones come over the horizon. 

Automated risk and policy management is a major step if one wants to make the most of human resources, instead of marshaling these workers to manual tasks that never resolve. 

Are these tools pricey? Some may be, but this is like any other security product. Look closely at what is needed to accomplish and either make it fit your pocketbook or start lobbying for a bigger one. In the long run, though, the savings through automating these tasks will be significant enough to justify their purchase.

Michael Lipinski and Mike Stephenson contributed to this month’s Group Test.

All products in the group test