There is a range of definitions for “policy management.” For example, some systems enforce security policy via controlling device configurations and network admission controls such as Elemental Security’s Elemental Compliance System or the older Symantec Enterprise Security Manager device policy checker.
But Command Center addresses a different set of issues than just checking device settings. It focuses on three areas of security policy – lifecycle management, awareness and training, and very basic vulnerability management.
The policy lifecycle component consists of content templates, document database, status tracking database and a workflow engine for version control, archiving, and review/approve/audit tracking of every step of the lifecycle.
Two features stood out to us. First, the web-based end-user security awareness and training module provides tracking of user review and acceptance of security policy and end-user security educational material. Second, the regulatory compliance matrices map regulations to policy and processes. Included reports were comprehensive and granular.
In the context of Command Center, policy lifecycle management consists of the entire process that an organization uses to create, review, publish online, update and track security policies and technical standards, as well as track end-user review and acceptance.
It implements a web-based workflow system that provides version control and archival storage to facilitate auditable and collaborative interactions. Document types can be policies, technical standards, device configuration checklists, user quizzes, procedures, and so on.
Once set up, the basic flow is: user creates draft document via templates (or uploads existing document type); uploads drafts into workflow engine; assigns the roles of policy reviewer and approver to users; and tracks review and approves status of drafts via status tracking database.
Once the security document achieves approval status, the user deploys it to target groups/users, and track end-user review and acceptance of policy.
Command Center users receive emails with a secure web link that points to the document requiring their review/approval. They log into Command Center, review, edit and approve the document, and its status is automatically updated, documented and routed to the next person in the process.
Various management reports provide a documented audit trail of all actions taken against the document which can help provide proof of compliance.
From a licensing perspective, Command Center users are those in an organization with oversight of the security policy content and lifecycle, such as security team members and business asset stakeholders. But an awareness and training module is included, targeted at general end-users.
Using a role-based model, many users can be assigned the roles of policy reviewer or approver with special access controls for auditors and functional access based on need-to-know. The visually informative, object-based web user interface provides a top-to-bottom drill-down of the security policy framework, from the top-level charter document to individual policies and technical standards. The contents of all document templates are fully customizable and users can upload an organization’s security policy documents.
One of the biggest factors in maintaining a secure environment is an organizational culture of security awareness, so employees must understand what security role they play, how to perform it and why it is important. To this end, Command Center provides various end-user-focused security quizzes, device configuration best practices and checklist templates for the more technical professional.
From a policy update or deployment perspective, end-users can be notified at login time that there is a new or updated policy for their review. The user must then review and tick a checkbox to confirm that they have read the policy.
Command Center tracks not only the user check-off, but also whether the user’s web browser has viewed the policy page.
Vulnerability management capabilities include system profile-based vulnerability alerting, remediation task tracking and live vulnerability feeds from US-CERT and SecurityFocus.
If you need a solution to help you build and manage a corporate security policy and awareness framework, or directly link regulatory requirements to your security process, procedures and policies, then Command Center is worth a look. Whether building from scratch, enhancing what you may already have, or jump-starting a security policy program to meet specific regulations, Command Center helps streamline implementation and help you retain and prove your compliance.
For: Comprehensive regulatory compliance matrices with gap analysis to security policy; easy-to-use object based GUI; wealth of included content.
Against: Third-party application integration requires additional consulting services; limited vulnerability management capabilities.
Verdict: A time saver with encapsulated content, but security and business experts will need to collaborate to maximize effective use of this tool.