The Sum of Security Parts

Tight security takes a concerted effort.

Vulnerability assessment is just one piece of the due diligence pie.

IT managers should craft a security plan only after they understand business objectives because company executives, shareholders and, ultimately, customers measure security breaches in business, not technical, terms.

Before or, at least, during a vulnerability assessment, IT managers should have a complete inventory of hardware and software assets. eWEEK Labs specifically evaluated the ability of the three vulnerability assessment tools we tested to pick up new equipment between scans. Qualys Inc.s QualysGuard Enterprise Intranet Scanner did it best, which is one reason why it earned our Analysts Choice award.

No matter how good a vulnerability assessment tool is, however, it cannot substitute for an effective inventory management system, such as Tally Systems Corp.s TS.Census.

Inventory management tools excel at tracking changes in inventory over time. This creates an audit trail based on vulnerability assessment tools reports that buttresses actions taken.

Due diligence in creating a secure computing environment, whether required by legislation such as the Health Insurance Portability and Accountability Act or by corporate governance boards, requires the kinds of independent audit reports these products generate.

Early in the security management planning process, IT managers should lay out the risks associated with loss or corruption of various enterprise data. Value can be determined by the datas importance to business operations and replacement cost.

In addition, it is becoming increasingly important to gauge the possible legal and ethical liabilities the use of various security tools can create.

Security management is an ongoing process that requires integration among various operations. These include patch management, vigilant anti-virus updates and technology assessments of known weaknesses.

A key advantage to using a vulnerability assessment tool is that security staff will almost certainly be freed up from mundane assessment tasks so that they can consider ways to parry advanced threats.