What’s your organization’s exposure to risk? Without a central location in which to keep track of your IT assets and risks they represent for your business, you may be more exposed than you realize. Enter Lumension Risk Manager, which can be a very effective tool for IT administrators charged with getting a handle on and building workflows around addressing risk and regulatory compliance issues in their organizations.
If used properly and if the time is invested in setting up its data structures, Risk Manager can be a valuable tool for tracking exactly how and how well a corporation is mitigating its overall exposure to potential risks in its operation. However, the will to use it has to be part of the fabric of an organization, and staffers need to participate in filling out its surveys and monitoring their operations.
At the heart of Risk Manager is the Unified Compliance Framework, a model that was first developed by Network Frontiers and law firm Latham & Watkins and is now used by a variety of organizations (including Microsoft in its System Center Service Manager) to keep track of more than 400 compliance regulations. This framework is used to manage conflicting and overlapping compliance requirements and is the core of Risk Manager’s scoring algorithms. The framework offers a model for applying a consistent and unduplicated view across regulations such as the Sarbanes-Oxley Act, HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry) and other standards that influence IT policies and procedures.
Risk Manager runs on any reasonably powerful PC running Windows Server 2003 or later and with SQL Server 2005 or better installed, which is used for its data repository. Its entire user interface is accessed through a Web browser, and a wide variety of these are supported. I tested with an already-populated sample database using Internet Explorer 7. The product also supports Firefox 3 or Safari 3 or better.
Pricing for Risk Manager 4.1, which began shipping in March, varies depending on the number of individual IP addressable objects that are monitored, starting at $40 per object with quantity discounts available.
The main menu is a dashboard that keeps track of various items, including your own notifications and e-mail reminders the software has sent you, summaries of compliance regulations, and the scores on various groups within an organization based on key performance indicators, such as progress on background checks on contractors or on laptop hard drive encryption.
As with many dashboards, these items are hot-linked to more specific pages, so that a user can just click on areas of interest to drill down for more details. For example, if I wanted to see whether my organization was in compliance with PCI regulations, I would click on that item and get a summary report showing how many items were passing or failing and the scores for particular departments that were affected by that particular collection of regulations. I could also drill down to examine particular departments, such as legal, to see where they were in or out of compliance.
Getting Up to Speed
Learning the lingo
I found that the toughest part of using Risk Manager was learning the jargon that appears in the product, and a getting a handle on all of the product’s moving parts as I walked through it and began creating test business processes with associated controls. With that said, Risk Manager’s included documentation did provide me with enough information to get up to speed with the various metrics used to assemble an overall security posture and with the compliance scores for particular risk factors, such as physical perimeter security or e-mailing private customer data. Each control point, such as that for assessing desktop physical security, is assigned a series of survey questions that are sent to the various staffers involved.
As the surveys are completed, the overall security posture index score is calculated and presented in a summary screen that also shows historical trends, what particular compliance regulations are referenced for that posture and who is subjected to this particular set of regulations.
Once you do learn your way around, there is another steep learning curve to conquer before you can start generating useful reports and understanding the lay of your compliance landscape. Risk Manager is meant to serve as comprehensive tracking device across many disciplines and functional areas of the corporation, so in order to put together meaningful, effective policies, IT managers must spend time making sure they completely understand their organizations and their business processes.
You also can conduct assessments that are geared toward meeting particular compliance regulations, such as HIPAA or rules relating to all your external-facing Web applications. You can keep track of who ran the assessment and when and what stage of completion it is at.
You can build up fairly complex criteria for screening particular users, networks or other objects, which Lumension calls subjects. For example, you can set up a way to limit the PCI guidelines to external wireless contractors.
As you might imagine, a product of this complexity needs a solid search engine to allow the user to find something quickly, and search is available from any screen by clicking on a small icon at the top right. For example, I could search for every control that has “vendor defaults” in its description and then click on the relevant result.
New in Version 4.1
Lumension has added several new features in Version 4.1. First is the ability to better define your remediation projects. Scores get assigned to a project more easily, by simply right-clicking on them and adding them to a project. You can also search for users to see which projects they are assigned to, or search through your Active Directory listing and assign them from there. When projects have been completed, the software automatically does an assessment and is presented to the security team to be validated with an e-mail notification. This makes it easier for users to manipulate projects without a lot of navigating around the software’s menus.
E-mail notifications have been beefed up too. They are more event-driven and tied to particular workflows. Also, you can monitor particular applications and specify when a score is below a certain level and how often you wish to receive e-mail.
Finally, the software continues to work with vulnerability scanning and patching vendors such as Nessus to directly integrate their intelligence into its operations.