The primary approach to compliance here is disseminating policies through agents to hosts and some applications (e.g., Oracle, Microsoft SQL, Sybase and a few others). SCM compares the configurations of the enterprise devices in question to vulnerability and threat data. It then applies policies and derives a status, which it reports to the administrator.
Policies can come from regulatory requirements, laws or internal organizational policies. The reports assess risk based on the combination of policies, threats/vulnerabilities and actual device or application configurations. SCM compares findings to baselines and these findings can be weighted to reflect the measured organization accurately.
We liked this one for a couple of reasons. First, it is a great compliance tool. With its combination of threats and vulnerabilities, the status of the device being monitored on the enterprise, and its reporting, it is a very powerful means of establishing, monitoring and adjusting devices to meet regulatory requirements. Add to that the ability to weigh various factors relative to the organization's environment and this an ideal tool for addressing remediation.
It provides capabilities that aid in remediation of policy failures. However, as regards reporting, that, too, is a very strong capability for SCM.
So, we have picked this as our favorite because it is priced right, it's full of features and it makes the compliance chore easier on the assessment and remediation ends. And that makes it one powerful tool.