In the quest for an ironclad information-security program, organizations typically take a textbook approach: First, a business-impact analysis and asset-assessment study identify critical data needing protection and the servers where that data resides. Then, security policies are developed from these studies, your business plan and organizational goals. These policies drive the development of guideline documents defining the requirements necessary to achieve the goals of the policy--for example, if a specific server is designated as critical, your access policy for that server will be stringent.
Essentially, you're taking your policy statements and codifying them into a series of checks.
But even the most well-conceived policies will fail if the effectiveness of the program cannot be measured. How do you gauge the effectiveness of a firewall strategy or a VPN, IDS or antivirus deployment? More practically, how do you ensure that networked devices like desktops, servers, switches, routers and firewalls are configured properly? Absent tools that can provide a holistic view of the network, administrators are left to fumble along. Without measurements, you're blind.
Of course, outside requirements come into play too. Although there's no magic bullet that will make your organization compliant with HIPAA, the Gramm-Leach-Bliley Act or ISO 17799, you can interpret applicable portions of the regulations into policies that can then be enforced and monitored (see "Complying With the Feds,"). Our motto: Speak softly and carry a big yardstick.
Let's Focus
Sheer volume and complexity can make monitoring servers and desktops a nightmare. If you're a Windows-only shop and your desktops and servers are in a domain or Active Directory tree, Windows' Group Policy Object or SMS (Systems Management Server) might be sufficient to ensure policy compliance. However, once an environment becomes even slightly more complex, the task of monitoring becomes much more difficult.
We talked with an IT manager from a multinational petroleum company that deploys more than 4,000 servers and 70,000 workstations worldwide. Although many of these hosts are Windows computers spread across multiple domains, a number of servers and workstations are standalone. Even with tools embedded in Windows and an SMS deployment for desktop management, this organization spent a lot of time writing scripts to gather data from hosts across the network and used Excel spreadsheets to generate reports. A system engineer devotes one weekend per month to running reports--on topics such as disk usage, service pack and patch levels, and security policy configuration.
On the other end of the spectrum, a small hospital with 2,000 workstations, 40 servers, and an IT staff of five needed a view of workstation and server configurations and wanted to create reports showing user access in the file system and tracking access to specific files across the network. It needed to query configuration on Novell's eDirectory and NetWare 6, and Windows 2000 and NT servers and desktops, but did not have the developers to write custom scripts--it wanted a COTS (commercial, off-the-shelf) product.
In both cases, these organizations wanted to ensure--independent of the operations staff--that desktops and servers were configured as defined by their security policies. They also wanted to monitor patch compliance and generate reports pinpointing out-of-compliance hosts. Two organizations of different sizes and in different markets had similar reporting and management needs, none of which were met by existing applications.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
REPORTS
ANALYTICS
Follow 
