For
This is a ‘must have’ solution, with its ability to create, maintain and distribute security policies with ease.
Against
It’s been a long time in coming.
Verdict
With all the VigilEnt Policy Center’s great attributes for creating and distributing affective policies, it also educates, tests user awareness and tracks it throughout the organization.

Having a security policy is one thing, having a policy that is both enforced and understood is quite another. The VigilEnt Policy Center has been designed to take care of the technology gap and in doing so it provides a solution for its users, policies and the technology it’s there to protect.

Normally, writing a security policy and enforcing it may prove easier said than done, because it isn’t enough to say that your staff are informed these days, now you have to show that they received the information, read it and understood it. That is why PentaSafe Security Technologies, formally an AS400 developer, has produced such an in-depth and usable policy management tool.

Of course, a thorough security policy doesn’t stay static, it is a live document, one that changes with corporate needs and develops along with the perceived threats and changing system architecture. There are just so many aspects to a good policy that it requires a lot of detailed work to keep it in force. This is where the VigilEnt Policy Center comes into its own. Each time you make a change with this solution, you also inform your users, who must read and understand the policy and how it affects them.

To manage a simple knowledge-base task such as this in a large corporate could take a full-time team. This is obviously not a practical solution, but with VigilEnt Policy Center the software does the whole job for you. This includes the ability to see how effective your policies are and, if there are any that don’t work well, which ones require amending or rewriting. To do all this, you also need some form of collation, an information base that lets you see statistics on users, departments and the entire organization.

Organizations must also maintain a ‘best practice’ level of compliance, in order to meet regulations such as BS7799 and ISO 17799, among others. VigilEnt Policy Center can do all the above and more. It really has so many nice ideas incorporated into the whole program that it makes policy writing and implementation very easy. It also encourages the users to log on, read new policies and take a quiz to show they understand it.

All the information on whether individual users have read newly published policies is there for the administrator to see, even down to which users have taken the quiz, what their marks were and of course those who haven’t complied at all. This information can be used to ensure that users are aware of new policies. If they all receive low scores in a particular quiz the administrator will see a potential problem with a certain policy and take the necessary steps to put this right.

If a user fails a certain question their final percentage mark will be underlined; this signifies that there is more information available. The administrator can then click on the underlined score to find out the areas a user stumbled on. If this sounds interesting so far, we can tell you that installation is also made easy. The solution takes into account the fact that administrators don’t have time to throw away and can’t be experts in every field.

The requirements are not overly demanding, just a 300MHz Pentium processor running either Windows NT, 98 or 2000, Internet Explorer 4 or higher, a direct connection to the company intranet and a recommended 256Mb of RAM. The installation itself is easy to accomplish and takes little time to achieve.

The first time you, the administrator, access the Policy Center you must change the password, as by default this is blank. Writing your first policies couldn’t be easier! PentaSafe has provided pre-written policy documents and has also provided the most comprehensive policy library any administrator could wish for. The library includes Information Security Policies Made Easy v7, written by Charles Cresson Wood, a leading light in the industry.

You can even take one of the VigilEnt Policy Center pre-written policies and amend it to suit your own organization by, for example, changing the password length required. You simply delete the original number and overwrite with the new! By using these pre-written policies an administrator may develop a quick and versatile security policy and have it in place, up and working in a very short time.

The administrator may decide to add certain users to a list of reviewers; these will be given extra rights. Reviewers will be able to access new policies that are pending, read them and reject or accept them. If the new policy is rejected it will be put back into the draft area but if it is accepted it will be published onto the user site.

By providing some users with ‘reviewer’ rights the administrator can allow departments to make decisions on the rules that are pertinent to the employees that they are in charge of. It provides a fresh approach and can help to lessen the burden on the administrator as well as provide departmental input into policies that affect them.

This comprehensive policy management tool takes user input seriously and allows them to report incidents so that email notification can be sent directly to the administrator. This provides a two-way flow. The administrator knows who has read the new policies and done the appropriate quiz and users can themselves provide input as to incidents that may have taken place.

There is also a news area on the users’ site so that when they log in they can read items that may affect them, such as areas that may be shut down for maintenance, etc. This may also help to keep users interested and willing to visit the site on a regular basis.

The VigilEnt Policy Center approach makes the management of a security policy very easy to maintain and involves the users so that not only do they know what is going on, but they are also encouraged to understand it all. In addition, each user has access to a ‘commentary.’ This provides information that informs the user why a particular policy is important. Each posted policy is printable so that the user can familiarize him or herself with its full impact and meaning before returning to do the quiz.

This interactive approach is an excellent incentive to all staff members. Moreover, the administrator’s site is fully loaded with user report functionality, policy reporting and other useful information so that preparing and analyzing the effect a new policy has made will always be interesting as well as productive.

SC On-Line
SC Magazine
www.scmagazine.com