May 29, 2001, 11:32 AM — When it comes to keeping your company's systems secure, employees and managers play roles as important as those of the technological gadgets they deploy. Any security shield that protects your business should be accompanied by sound company policies that explain risks, outline duties, and recommend correct behaviors to your users. Failure to do so could expose your company to litigation and possibly to damaging public embarrassment.
Unfortunately, keeping your users up to speed on security policies bears a significant cost because you need to create and disseminate those documents and then verify that your users acknowledge and understand them.
PentaSafe Security Technologies Inc., a software company that specializes in security products, offers a comprehensive solution to that problem with VigilEnt Policy Center (VPC) 2.0. The next release of the policy management software will employ a common, Web-based infrastructure to create, publish, and monitor security policies.
We looked at the beta version of VPC 2.0 and were impressed with its simplicity, ease of use, and powerful publishing and user-training capabilities. Despite some rough spots in the beta version, we recommend deploying the product when it is released in June.
Security policies on the move
Primarily, VPC is a browser-based platform for creating and publishing security policies written clearly and simply for the benefit of your employees. In addition to English, Version 2.0 can communicate with users in French, German, and Spanish, although the solution doesn't automatically translate a policy into a different language. The product provides its own HTTP server and integrates with Microsoft Corp. IIS on Windows NT 4.0 and Windows 2000 platforms.
From a browser-contained client, security administrators can write policies using wizards and templates, or they can import existing documents in the most common formats, including rich text, XML, HTML, Microsoft Word, and Adobe Systems Inc. Acrobat. Administrators can instantly publish a new policy and make it available to users across the company network, regardless of the employees' location. VPC stores policies in its embedded database or in a Microsoft SQL Server repository. Users view and acknowledge new policies from their browser-based client.
To simplify administrative tasks, VPC allows administrators to import user and group lists from an LDAP directory or text file. By doing so, administrators can easily maintain consistency with existing authentication systems. They can also define homogeneous access control lists that identify target users, such as developers, computer operators, accounting clerks, or security managers, and specify their access rights for each policy. When a new document is published, VPC will automatically insert a link to the document and a warning message on those users' home page.
Using VPC, users can easily read new and previous policies from their browser without additional client software; your company can say good-bye forever to hefty three-ring binders.
Furthermore, VPC keeps a tally of the documents that each user reads. By examining the tally information, administrators can instantly spot those who are falling behind with mandatory reading and take action. Controlled distribution of company policies is one of VPC's greatest benefits because it eliminates the cost and inconvenience of manually delivering and tracking documents.
Train thy users as you'd train thyself
Most company policy includes guidelines for safely handling e-mail messages, for example, but they are probably buried among hundreds of other equally important messages, and your security manager doesn't have a clue as to how many users have actually read and understood them.
VPC has a take-no-prisoners approach to this problem: Security managers can create smaller and simpler group-targeted policies, thereby negating any user's excuse for not reading them. More importantly, VPC allows security administrators to create electronic questionnaires specific to each policy that will score users' understanding of that topic.
Administrators can assign a score for each correct answer to the questionnaire and a minimum score to pass the test, for example. If users don't pass, the questionnaire can suggest a course of action, such as reviewing the appropriate documents. The results of each test appear in the administrative console for the benefit of the security manager, who can generate several reports or charts directly from the console to document how well users understand each policy.
Simple and effective, VPC's capability of evaluating users' understanding of security policies reduces training costs and creates a record to prove your company's good faith efforts in promoting and enforcing those policies.
