Post a comment or question on this story.
Security Policy Monitoring
It may start innocently enough, perhaps with a user installing a seemingly innocuous piece of software on a networked enterprise PC. This might annoy the desktop people, but as the security manager, it's not your problem, right? Wrong. Can you be sure that the application did not change vital configurations on the machine, possibly making your entire network vulnerable? Worse, if your security policy is not continually enforced, such a hole might go unnoticed indefinitely. And even if your desktops are locked down tight, HIPAA requires all health-care organizations to have a system in place ensuring the security of all patient information; the Gramm-Leach-Bliley Act makes similar demands on financial institutions. Security policy enforcement, clearly, is taking on new urgency.
The best way to stay in the Feds' good graces is security policy monitoring, whereby you lay down the law across your organization and then constantly audit for compliance. We gathered security policy monitors from BindView, Computer Associates International, Configuresoft, NetIQ, Pedestal Software, Polivec and Symantec in our Syracuse University Real-World Labs® and deployed them on a 100-node network. In the process we nailed some hideously out-of-compliance production systems. Ouch.
After a few months of poking and prodding, we were impressed with all the products we tested. Price was, of course, a factor--this level of control does not come cheap. Still, each allowed for stringent compliance checks and offered strong reporting; some even helped us write policies via templates and could proactively slap around deviant systems. We awarded BindView's bv-Control 7.2 our Editor's Choice for its all-around strong feature set. Shops with tight budgets should take a look at our Best Value Award winner, Pedestal Software's SecurityExpressions 3.0.
If your organization is in the financial or health sector, you no doubt are familiar with the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA). Both mandate specific actions to protect the security and privacy of customer and patient information, respectively. They affect how organizations collect, store, transmit and allow access to nonpublic information that can be individually identified to a customer receiving a financial product or service or a patient receiving health care. But neither act spells out specific hardware or software solutions that you need to implement to comply with the law.
IT is good at providing practical solutions to network management and security problems. Many of the technologies that apply to both GLBA and HIPAA, such as authentication schemes for identity management, encryption for data transmission, secure VPNs for remote access, and access controls for data storage, are in place. But IT is not so good at documenting the solutions used to meet the legal requirements in laws like GLBA and HIPAA. And that's where policy management can help.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
