Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Vulnerability analysis tools add compliance features

Compliance is a natural extension of a vulnerability analysis tool. Normal vulnerability scanning includes searching for unpatched systems, unprotected directories and other errors in configuration.

Compliance typically adds a set of arbitrary checks that are specific to a particular regulatory regime. For example, a compliance policy might require that a DVD-ROM on a system can only be used by someone logged in locally. That's not really a vulnerability; it's just someone's idea of a particular security policy.

Do you know where your security holes are?

All of the products we tested except for Lumension Scan have a significant compliance component. For some, compliance scanning is also an extra cost or separately licensed option.

In vulnerability analyzers, "compliance" has two main parts: one is defining compliance policies and checks, and the second is generating reports with the specific checks that are called for by the regulatory regime. Because compliance is an entirely separate vulnerability analysis discipline with very different requirements, you should carefully consider the role of compliance testing and reporting before picking a vulnerability analyzer.

The requirements for compliance testing will change depending on the regime you're trying to support, and the feature set is usually more focused on policy auditing and less on getting individual systems securely configured. For example, everyone knows that patching production systems doesn't happen within a few hours of Microsoft's latest update. Compliance reporting is more about reporting on how long it took for you to bring systems back up to specification, than it is helping you figure out which systems need those patches.

If compliance is on your mind as part of a vulnerability analyzer acquisition, we think you should look carefully at eEye, McAfee, Qualys, and SAINT. In our quick look, we were most impressed by McAfee's compliance policy creation tools, and SAINT's ability to quickly import and edit standardized compliance policies based on the three "standard" formats.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: LAN, Lumension, McAfee, Microsoft, Qualys
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: compliance, endpoint security, it management, Lumension, regulatory compliance, security, vulnerability analyzers
Latest Blog Posts
Whitepapers
  • Magic Quadrant for Enterprise Disk-Based Backup/Recovery
    While backup is among the oldest, most performed tasks in the data center, the industry is undergoing significant change as organisations accelerate new technology adoption and show a propensity to implement new solutions, in some cases from vendors that are emerging or new to the backup market.
    Learn more »
  • Improving Productivity in the Connected Enterprise Through Collaboration
    In the market for collaborative applications, a large convergence is beginning to take hold, and the consumerization of IT is central to this movement. The technologies that people use as consumers are impacting the way employees, customers, and partners want to interact and collaborate at work. People want to take the same technology experiences that are available at home and plug them into their daily work lives. This movement is setting worker expectations as both employees and corporate consumers. Workers need to have the choice and flexibility to consume the applications they want, where they want, and on their preferred device. Read on.
    Learn more »
  • Automating Your Processes to Outperform Your Competition
    Welcome to Volume Three of the “Intelligent Guide to Enterprise BPM.” Get ready for an education in automation—Process Automation, that is. This white paper goes into detail about the Process Automation entry point into an Enterprise Business Process Management (BPM) program. Read on to learn how Process Automation opens up new ways to help your business do things faster—like open up a new sales channel or deliver customer orders. Discover how Process Automation enables your business to run smoother and consistently in an orchestrated way. With a true Enterprise BPM solution, you can automate newly designed processes far easier than starting from scratch.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments