Lumension Risk Manager 4.1 Shines a Light on Compliance

Review: After some study and setup, Lumension Risk Manager can be a powerful tool for IT administrators needing to monitor an organization's risk and regulatory compliance status.

What's your organization's exposure to risk? Without a central location in which to keep track of your IT assets and risks they represent for your business, you may be more exposed than you realize. Enter Lumension Risk Manager, which can be a very effective tool for IT administrators charged with getting a handle on and building workflows around addressing risk and regulatory compliance issues in their organizations.

If used properly and if the time is invested in setting up its data structures, Risk Manager can be a valuable tool for tracking exactly how and how well a corporation is mitigating its overall exposure to potential risks in its operation. However, the will to use it has to be part of the fabric of an organization, and staffers need to participate in filling out its surveys and monitoring their operations.

At the heart of Risk Manager is the Unified Compliance Framework, a model that was first developed by Network Frontiers and law firm Latham & Watkins and is now used by a variety of organizations (including Microsoft in its System Center Service Manager) to keep track of more than 400 compliance regulations. This framework is used to manage conflicting and overlapping compliance requirements and is the core of Risk Manager's scoring algorithms. The framework offers a model for applying a consistent and unduplicated view across regulations such as the Sarbanes-Oxley Act, HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry) and other standards that influence IT policies and procedures.

Risk Manager runs on any reasonably powerful PC running Windows Server 2003 or later and with SQL Server 2005 or better installed, which is used for its data repository. Its entire user interface is accessed through a Web browser, and a wide variety of these are supported. I tested with an already-populated sample database using Internet Explorer 7. The product also supports Firefox 3 or Safari 3 or better.

Pricing for Risk Manager 4.1, which began shipping in March, varies depending on the number of individual IP addressable objects that are monitored, starting at $40 per object with quantity discounts available.

Risk dashboard

The main menu is a dashboard that keeps track of various items, including your own notifications and e-mail reminders the software has sent you, summaries of compliance regulations, and the scores on various groups within an organization based on key performance indicators, such as progress on background checks on contractors or on laptop hard drive encryption.

As with many dashboards, these items are hot-linked to more specific pages, so that a user can just click on areas of interest to drill down for more details. For example, if I wanted to see whether my organization was in compliance with PCI regulations, I would click on that item and get a summary report showing how many items were passing or failing and the scores for particular departments that were affected by that particular collection of regulations. I could also drill down to examine particular departments, such as legal, to see where they were in or out of compliance.