A key piece of compliance is enforcing policies through systems like Active Directory, but once set, it's difficult to ensure that rules remain effective--rapidly evolving technology means infrastructure modifications routinely outpace IT's ability to manage change, leading to gaps between "official" corporate policy and reality on the ground. Add telecommuters and branch offices to this lack of visibility, and you have a management nightmare.
The first step to get back on track is to align security guidelines with regulations and deploy Active Directory Group Policies to enforce configurations ... no small feat. Once that's accomplished, IT must still demonstrate compliance. Just defining necessary settings isn't enough--auditors expect you to prove rules are correctly applied.
Vendors claim new Active Directory compliance tools can gauge policy effectiveness and add value for both IT and the business. Misconfigured devices are more likely to have security problems that expose data to exploits or internal misuse. And a relatively small percentage of workstations--usually those with nonstandard settings that allow the user too much control--tend to generate a disproportionate number of virus and spyware incidents.
There's certainly a case to be made for any technology that promises to streamline compliance costs and measurably improve security. But as with most compliance software, it's difficult to determine true value amid the clamor of hype. Not all products are created equal, and the last thing you need is another point tool that fails to deliver.
Don't get us wrong--there's value to be found. But to avoid pitfalls that threaten to leave you with a false sense of security and no tangible improvement, lay policy groundwork and examine current capabilities before going shopping.
(click image for larger view)