Getting Up to Speed
Learning the lingo I found that the toughest part of using Risk Manager was learning the jargon that appears in the product, and a getting a handle on all of the product's moving parts as I walked through it and began creating test business processes with associated controls. With that said, Risk Manager's included documentation did provide me with enough information to get up to speed with the various metrics used to assemble an overall security posture and with the compliance scores for particular risk factors, such as physical perimeter security or e-mailing private customer data. Each control point, such as that for assessing desktop physical security, is assigned a series of survey questions that are sent to the various staffers involved.As the surveys are completed, the overall security posture index score is calculated and presented in a summary screen that also shows historical trends, what particular compliance regulations are referenced for that posture and who is subjected to this particular set of regulations.Once you do learn your way around, there is another steep learning curve to conquer before you can start generating useful reports and understanding the lay of your compliance landscape. Risk Manager is meant to serve as comprehensive tracking device across many disciplines and functional areas of the corporation, so in order to put together meaningful, effective policies, IT managers must spend time making sure they completely understand their organizations and their business processes. You also can conduct assessments that are geared toward meeting particular compliance regulations, such as HIPAA or rules relating to all your external-facing Web applications. You can keep track of who ran the assessment and when and what stage of completion it is at. You can build up fairly complex criteria for screening particular users, networks or other objects, which Lumension calls subjects. For example, you can set up a way to limit the PCI guidelines to external wireless contractors. As you might imagine, a product of this complexity needs a solid search engine to allow the user to find something quickly, and search is available from any screen by clicking on a small icon at the top right. For example, I could search for every control that has "vendor defaults" in its description and then click on the relevant result. New in Version 4.1 Lumension has added several new features in Version 4.1. First is the ability to better define your remediation projects. Scores get assigned to a project more easily, by simply right-clicking on them and adding them to a project. You can also search for users to see which projects they are assigned to, or search through your Active Directory listing and assign them from there. When projects have been completed, the software automatically does an assessment and is presented to the security team to be validated with an e-mail notification. This makes it easier for users to manipulate projects without a lot of navigating around the software's menus. E-mail notifications have been beefed up too. They are more event-driven and tied to particular workflows. Also, you can monitor particular applications and specify when a score is below a certain level and how often you wish to receive e-mail. Finally, the software continues to work with vulnerability scanning and patching vendors such as Nessus to directly integrate their intelligence into its operations.