Preventsys Announces PolicyLab PDK For Security Policy Experts

New Standalone Policy Development Kit Delivers Library of Policies And Pre-Programmed Rules for Network Security Policies

San Diego, Calif. - February 3, 2004 - Preventsys, the pioneer in automated security audit and policy assurance systems, announced today the availability of its new PolicyLab Policy Development Kit (PDK). The PolicyLab PDK is a standalone version of the Preventsys PolicyLab development environment intended for partners, system integrators and security policy experts that are engaged by large enterprises to develop and test powerful automated security and regulatory policies in a highly productive development environment at low cost.

Policies are widely acknowledged to be the only vehicle for delivering truly scalable network security. In the past, operationalizing security policies in an enforceable form was difficult and cost inefficient, leaving many policies in three ring binders gathering dust on the shelf. The PolicyLab PDK changes all of that.

"Our clients face ever toughening regulatory and legal requirements in the protection of their operations. SOX, FISMA and NERC are changing how executives deal with security. We look for solutions that offer a risk-focused and scalable system for protecting our clients' businesses and helping them to manage security proactively," said Patsy Boozer, vice president at SAIC.

PolicyLab is used to import traditional security and regulatory policies (in any human-readable language) in HTML format and link each granular rule in the policy to a machine readable expression that can be tested for compliance during automated auditing processes performed by the Preventsys system on large global networks. The PolicyLab PDK is designed as a tool for use by third party security experts who have been engaged by large corporations and government agencies to provide consulting support, development and policy related domain knowledge and intellectual property related to the development, deployment and enforcement of security and regulatory policies.

"There are many individuals and organizations with tremendous expertise in the development and application of best practice security and regulatory policies," said John Williams, Chief Technology Officer, Preventsys. "With the release of the PolicyLab PDK, it becomes possible to put that expertise to work in scalable, automated ways, benefiting customers by reducing security risk on very large networks. It also allows security experts across the country to leverage the capital investment we've made in research and development of the Preventsys system with the expertise, knowledge and policy content they've developed internally."

The PolicyLab PDK is a powerful set of policy development tools in a drag-and-drop development environment. Key features include:

  • Policy Library - The library contains a pre-programmed collection of policies and security specific rules that constitute the building blocks of overall corporate policies, including key regulatory policies such as Sarbanes-Oxley Section 404 and commercial agreements such as Security Service Level Agreements. All of these can be customized to the specific practices, specifications and requirements of any organization, and linked directly to original natural language source policies by third party experts using the PolicyLab PDK.

  • Policy Editor - High-level security and regulatory policies are imported in their original natural language form, customized and then linked to pre-programmed rules in a drag-and-drop graphical user interface that facilitates the mapping of policy requirements to pre-programmed blocks of machine readable code that test the requirement against actual network security facts. PolicyLab uses PDLT, an extension of the XSL standard, to represent high-level, strategic policies in a highly granular, rules based construct.

  • Policy Test and Deployment - New policies are tested in a staging environment against real data from the Preventsys AudIT Repository to assure accuracy of policy logic and to estimate the costs of compliance with new policies or changes, determining the actual remediation efforts required on the network as a result of the change.

  • Third party developer support - The PDK version of PolicyLab contains sample code, test environments, documentation, APIs, testing and training tools designed to allow third party developers and consultants to use their security expertise, domain knowledge and accumulation of policies expressed in natural language form to create hypertext linked PDL documents.

The effect of using Preventsys and PolicyLab is to take those three ring binders of security and regulatory policies and put those policies to work in measurable and manageable ways that assure security on the network in advance of attacks by individual or automated intruders.

In conjunction with the availability of the PolicyLab PDK, Preventsys has announced a new Policy Partner Program designed to support third party security experts and developers of policy and audit related technologies who use or integrate with the PolicyLab PDK. The Program takes two different forms: - Security Experts Program -The Security Experts program is for security consulting organizations who today provide security policy development, implementation, auditing or advisory services to corporate or government clients. - Policy Technology Program The Policy Technology Program is for companies who offer security policy related products, technologies and development tools which can benefit from making English language policies machine readable and auditable inside the network.

"With the release of the PolicyLab PDK, it becomes possible for us to encode our ERP expertise into a system that allows us to automate the security auditing of the ERP systems we deploy," said Mark Veronda, Director of Consulting at iTeration2, a leading Microsoft ERP/CRM system integrator. "This will go a long way toward meeting our clients' Sarbanes-Oxley requirements and helping them sleep at night, while delivering value at a much lower cost than repeated consulting engagements."

The PolicyLab PDK is free to qualified security professionals and consultancies who join the Policy Partner Program. During Q1 2004, Preventsys will also make PolicyLab PDK training courses available to program members at no charge. For more information and to join the Policy Partner Program, contact Aaron Davies-Morris by email at or voice at (760) 268-7821.

In a related announcement, Preventsys made available Version 1.6 of its Network Audit and Policy Assurance System. The Preventsys system automates the auditing of security policy violations, vulnerability risk and remediation success. It scales formerly manual processes to reach every node, wired and wireless, on large corporate or government networks.

Enhancements in Preventsys 1.6 increase auditing functionality and ease of integration with other systems, providing greater control over security policy auditing of multiple sources, including network, host, manual and physical security points of view without the deployment of agents on host machines. Windows Registry Surveyor enables policy-based software version checking and control, checks for host security settings, proper software installation, worm and backdoor detection, and better coverage of Windows-based DHCP environments. Other enhancements provide native web services integration with Remedy ARS and other Action Request systems, updated integration with ISS Internet Scanner and Site Protector, Wi-Fi MAC Address filtering and logical network location trace routing, NMap exclusion lists for particularly sensitive assets, P2P passive auditing to report penetration issues, and the modification of the interface to support co-branding by partners. In addition, Preventsys has significantly expanded its policy library to include HIPAA, GLBA, NERC and Sarbanes-Oxley coverage. Also, best practice policies including NIST, SANS and NSA have been updated, assisting customers in compliance with these and other regulations like FISMA and PIPEDA.

About Preventsys, Inc.

Preventsys provides automated network auditing systems to global enterprises, focusing on the financial services, insurance, media, government, manufacturing, energy and healthcare verticals. Preventsys' innovative and award winning AudITT technology dramatically improves security and reduces costs by automating the traditionally manual processes of network auditing, policy development and compliance, remediation management and reporting. Preventsys is backed by Enterprise Partners, one of the top-performing venture capital firms in the United States with over $1 billion in capital under management, and Apax Partners, one of the world's leading international private equity investment groups, with more than $12 billion in capital under management across the United States, Europe, Israel and Japan. For more information, please visit the company's Web site at or call 760-268-7833.