In-Depth

The Push for Policy Compliance

BindView launches tool to help with government regulations

• By Mathew Schwartz
• 06/04/2003

Companies are more concerned than ever with policy compliance, says Charles Kolodgy, research manager of Internet security at International Data Corp. (IDC) in Framingham, Mass. “There are a number of companies that are beginning to look at that, and there are a lot talking about the policy and security—both the big P and the little P. It’s a little confusing because some people talk about policy as your security products being configured properly, and a lot of other people look at it as the big-p Policy; what do I want to develop, what do I want to protect?”

One big driver of policy compliance software, says Kolodgy, is the raft of new government regulations that have made this a scary issue for the “C level,” especially the Sarbanes-Oxley Act of 2002, which makes executives accountable for such things as regulatory compliance. Before, when it came to policy compliance, "it was about your audit, and now it's, 'Let's not wait for that audit.'"

To help organizations with compliance, BindView Corp. launched BindView Compliance Center, a new part of its Policy Compliance solutions suite. Compliance Center provides security administrators with continuous feedback on systems that are compliant with risk management guidelines. For non-compliant systems, Compliance Center provides step-by-step remediation guidance to help restore compliance. The new release can analyze a single machine, network, or an entire IT infrastructure, including measuring against industry standards such as the Center for Internet Security (CIS) Benchmarks.

BindView incorporated the CIS Benchmarks to give companies a “known good approach,” says Chris Mullins, director of policy compliance solutions for BindView. Even if organizations aren’t 100 percent compliant, he says that information from the NSA’s Systems and Network Attack Center (SNAC), which tests Department of Defense information assurance, shows that just taking a known good approach helps. In fact the hacking team began requiring it before conducting a test “hack attack.” “What they found was the first 20 or 30 things on the list were the same,” every time they tested a DoD site. "And they said, 'We're not coming out to hack you until you configure your boxes to these guides.'"

In fact, SNAC research found that “in excess of 80 percent of new vulnerabilities won't affect the box if they're configured to this approach,” says Mullins. Given the fact that so many attacks exploit known weaknesses, organizations that remediate top threats block not only current but future attacks that use the exploit. “Our product says you're at 82 percent today, and here are the 10 worst offenders that made you score that way, and if you want to click on the offenders, it will actually show you the 10 steps” needed to remediate them. “Once you do, the bulk of the lower hanging fruit goes away.”

By including the CIS Benchmarks, BindView also gives organizations the ability to skip the cost and lengthy process of IT and security having to create effective configuration standards on their own, especially against such regulations as HIPAA, which don’t tell organizations how to do something, just that it needs to be done.

When it comes to managing “the big P,”—an organization’s security policy—Kolodgy says that Symantec and Tivoli offer similar software, while netIQ, Foundtone, and Preventsys are in the assessment and risk analysis sector.

For organizations that already have BindView’s Policy Compliance software, he says, they’ll probably quickly move to integrate Compliance Center. “[BindView’s] initial hit, of course, will be people who already have bv-Control,” BindView’s security and configuration management software.

For organizations evaluating the product or similar functionality, he notes that one very useful feature is that it’s cross-policy. It has “the ability to take the data and recreate it for the different policies, so if you're a company that needs to deal with Sarbanes-Oxley, and HIPAA [the Health Insurance Portability and Accountability Act], and Gramm-Leach-Bliley, then this one product will prove compliance to each of those standards.”

Given the lengthy, onerous requirements organizations face to document compliance with just one regulation, companies are always looking for ways to just have a good security policy, then use it to prove how they’re compliant vis-à-vis any relevant regulations. “This would be working toward that,” says Kolodgy.