• United States



Mind Your Ps: Security Policy Management Tools

Jul 01, 20032 mins
Data and Information SecurityIT LeadershipSecurity

Chances are good that you've had at least a half dozen "security policy management" software packages pitched at you during the past few months.

Chances are good that you’ve had at least a half dozen “security policy management” software packages pitched at you during the past few months. And every one of them does something completely different.

“Folks have picked up on the word policy being important to senior executives, so everything becomes a ‘policy management tool’ even if all they really do is patch systems. It’s created a lot of confusion” among would-be software buyers, says Pete Lindstrom, research director for Spire Security.

So how do CSOs make sense of the chaos and understand which of the countless policy tools might really address their particular needs? The simplest way to parse policy tools is to think in terms of the Little P and the Big P, according to IDC Research Director Charles Kolodgy (CSO’s publisher is a sister company to IDC). Here’s what he means: The Little P refers to more technical tools that “deal with the management of a stated machine”making sure firewalls have the correct settings, for example. This category includes tools such as those from Securify and equipment vendors such as Check Point.

The Big P means higher-level policy tools that are used to examine the organization’s overall security posture in terms of regulatory compliance (HIPAA, Gramm-Leach-Bliley and Sarbanes-Oxley being famous domestic examples), or international guidelines and standards (such as ISO 17799 or its relative from the British Standards Institute, BS 7799). Such tools can also capture internal policy decisions such as “No Instant Messenger” and push that information out to the corporate firewalls.

Kolodgy says no current tool completely automates that process, but that products from such vendors as BindView, NetIQ, PoliVec and Symantec are reasonably well-positioned to push to this level of functionality. Big P tools need to address not only technical vulnerabilities but also those attributable to human error, such as easily guessed passwords. Thus far, Kolodgy says, such capabilities remain beyond the software available from hardware vendors.

Other products still further up the totem pole could still be considered policy management tools, according to Lindstrom, who mentions software from Archer Technologies and Cogentric. This group of products provides ultra-high-level views of the enterprise and its exposure to risk.

They also go by the heading “risk management consoles” (for more on these programs, see Toolbox, December 2002, at, but after all, what’s in a name?