GRC At RSA

While I didn't get as much time on the floor as I would have liked, I think one of the more interesting themes from the RSA show is Governance, Risk, and Compliance (GRC). Ultimately, all the security products available, all the best practices, all the sessions, directly impact GRC. A few years past and two magazines ago, I was following the desktop compliance management market pretty closely. Desktop compliance management was the idea that compliance requirements drive desktop and server management and, through an enforceable policy, enterprises could report on desktop compliance. It's a multifaceted approach where just having a desktop management practice was a compliance objective in and of itself.

The products I reviewed from CA, BindView (acquired by Symantec), Configuresoft, NetIQ (acquired by Attachmate), and Security Expressions (acquired by Altiris, then acquired by Symantec) had varying degrees of integrated policy development tools that could be turned into technical checks. At the time, NetIQ had the most full-featured integration where you could write a technical policy statement, for example, about password complexity and automatically turn that into a check for Windows Group Policy Object. Once you wrote the policy, it was imported into their management software, which would then run the checks and generate a report. If a technical policy statement didn't have a corresponding technical check, a check could possibly be developed. Nontechnical policy statements, such as defining how users should remember passwords, had no technical checks.

This also was occurring at the time SOX, HIPAA, PCI and other regulations were just popping into the awareness of IT and it seemed like compliance -- specifically, failing compliance -- would rain fines on offending organizations. Many companies were faced with having to interpret regulations and more important, create s strategy to satisfy multiple regulations. One vendor, NetIQ, if I recall correctly, embarked on a program to normalize requirements for all the regulations as part of its product.

More recently, the number of vendors promoting GRC-related products was pretty high. Notably, I ran into Craig Issacs, CEO of Network Frontiers. Network Frontiers is a consulting company focusing partly on compliance. What's interesting is it offers, through a license, services to enterprises and vendors that normalize multiple regulation requirements to meet a minimum baseline, thus taking out the guesswork. GRC is a promising space that may provide real value in a litigious society.