igor - Fotolia
I'm interested in managing the compliance policies of my network and endpoint devices. I've seen that the product landscape is quite broad, from simple software tools all the way up to fully integrated appliances. What's the best way to narrow the scope of my product search?
The best place to start looking for compliance tools that monitor the status of systems and networks is in your own information security program. You may already have a tool or suite of tools to manage device security, and those tools may have existing compliance capabilities that are sitting latent or have available add-on modules that can provide compliance tracking with minimal additional expense.
Saving money isn't the only reason to try to adapt existing tools to meet compliance needs. An organization is much more likely to achieve success if it is able to make small modifications to existing capabilities than if it tries to implement an entirely new system or set of tools. Remember, system and network administrators view compliance as a non-value-added burden on their already busy days. Anything that you can do to achieve compliance without increasing that burden will improve the likelihood of adoption and the success of the program.
For example, take a look at the configuration management system used in data centers that manages server configurations and patches. Does the package the system administrators use provide a compliance reporting option? If you can develop (or adapt) your own compliance templates for that tool, it's possible to simply run reports out of that system to detect noncompliant servers without bothering administrators to install yet another agent on the systems.
Similarly, your organization's security program likely already includes a network vulnerability testing tool. Spend some time assessing that tool's capabilities. Does it contain built-in policies and reporting features that meet compliance needs? This is another opportunity to achieve a major compliance victory with minimal investment of time and money.
Compliance professionals should take the time to conduct an inventory of the variety of security tools in use by their organizations. It's likely that many of them have the potential to pull double duty as effective compliance mechanisms.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Mike Chapple explains how to develop a compliance awareness training program