Review: After some study and setup, Lumension Risk Manager can be a powerful tool for IT administrators needing to monitor an organization's risk and regulatory compliance status.
organization's exposure to risk? Without a central location in which to keep
track of your IT assets and risks they represent for your business, you may be
more exposed than you realize. Enter Lumension Risk Manager, which can be a
very effective tool for IT administrators charged with getting a handle on and
building workflows around addressing risk and regulatory compliance issues in
If used properly
and if the time is invested in setting up its data structures, Risk Manager can
be a valuable tool for tracking exactly how and how well a corporation is mitigating
its overall exposure to potential risks in its operation. However, the will to
use it has to be part of the fabric of an organization, and staffers need to
participate in filling out its surveys and monitoring their operations.
At the heart of
Risk Manager is the Unified Compliance Framework, a model that was first developed by
Network Frontiers and law firm Latham & Watkins and is now used by a
variety of organizations (including Microsoft in its System Center Service
Manager) to keep track of more than 400 compliance regulations. This framework
is used to manage conflicting and overlapping compliance requirements and is
the core of Risk Manager's scoring algorithms. The framework offers a model for
applying a consistent and unduplicated view across regulations such as the Sarbanes-Oxley
Act, HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment
Card Industry) and other standards that influence IT policies and procedures.
runs on any reasonably powerful PC running Windows Server 2003 or later and with SQL
Server 2005 or better installed, which is used for its data repository. Its
entire user interface is accessed through a Web browser, and a wide variety of
these are supported. I tested with an already-populated sample database using
Internet Explorer 7. The product also supports Firefox 3 or Safari 3 or better.
Pricing for Risk
Manager 4.1, which began shipping in March, varies depending on the number of
individual IP addressable objects that are monitored, starting at $40 per
object with quantity discounts available.
The main menu is
a dashboard that keeps track of various items, including your own notifications
and e-mail reminders the software has sent you, summaries of compliance
regulations, and the scores on various groups within an organization based on
key performance indicators, such as progress on background checks on
contractors or on laptop hard drive encryption.
As with many
dashboards, these items are hot-linked to more specific pages, so that a user
can just click on areas of interest to drill down for more details. For
example, if I wanted to see whether my organization was in compliance with PCI
regulations, I would click on that item and get a summary report showing how
many items were passing or failing and the scores for particular departments that
were affected by that particular collection of regulations. I could also drill
down to examine particular departments, such as legal, to see where they were
in or out of compliance.