Print
Close Window
From: www.itworld.com
Security's human side
May 29, 2001 —
When it comes to keeping your company's systems secure, employees and managers play roles as important as those of the technological gadgets they deploy. Any security shield that protects your business should be accompanied by sound company policies that explain risks, outline duties, and recommend correct behaviors to your users. Failure to do so could expose your company to litigation and possibly to damaging public embarrassment.
Unfortunately, keeping your users up to speed on security policies bears a significant cost because you need to create and disseminate those documents and then verify that your users acknowledge and understand them.
PentaSafe Security Technologies Inc., a software company that specializes in security products, offers a comprehensive solution to that problem with VigilEnt Policy Center (VPC) 2.0. The next release of the policy management software will employ a common, Web-based infrastructure to create, publish, and monitor security policies.
We looked at the beta version of VPC 2.0 and were impressed with its simplicity, ease of use, and powerful publishing and user-training capabilities. Despite some rough spots in the beta version, we recommend deploying the product when it is released in June.
Security policies on the move
Primarily, VPC is a browser-based platform for creating and publishing security policies written clearly and simply for the benefit of your employees. In addition to English, Version 2.0 can communicate with users in French, German, and Spanish, although the solution doesn't automatically translate a policy into a different language. The product provides its own HTTP server and integrates with Microsoft Corp. IIS on Windows NT 4.0 and Windows 2000 platforms.
From a browser-contained client, security administrators can write policies using wizards and templates, or they can import existing documents in the most common formats, including rich text, XML, HTML, Microsoft Word, and Adobe Systems Inc. Acrobat. Administrators can instantly publish a new policy and make it available to users across the company network, regardless of the employees' location. VPC stores policies in its embedded database or in a Microsoft SQL Server repository. Users view and acknowledge new policies from their browser-based client.
To simplify administrative tasks, VPC allows administrators to import user and group lists from an LDAP directory or text file. By doing so, administrators can easily maintain consistency with existing authentication systems. They can also define homogeneous access control lists that identify target users, such as developers, computer operators, accounting clerks, or security managers, and specify their access rights for each policy. When a new document is published, VPC will automatically insert a link to the document and a warning message on those users' home page.
Using VPC, users can easily read new and previous policies from their browser without additional client software; your company can say good-bye forever to hefty three-ring binders.
Furthermore, VPC keeps a tally of the documents that each user reads. By examining the tally information, administrators can instantly spot those who are falling behind with mandatory reading and take action. Controlled distribution of company policies is one of VPC's greatest benefits because it eliminates the cost and inconvenience of manually delivering and tracking documents.
Train thy users as you'd train thyself
Most company policy includes guidelines for safely handling e-mail messages, for example, but they are probably buried among hundreds of other equally important messages, and your security manager doesn't have a clue as to how many users have actually read and understood them.
VPC has a take-no-prisoners approach to this problem: Security managers can create smaller and simpler group-targeted policies, thereby negating any user's excuse for not reading them. More importantly, VPC allows security administrators to create electronic questionnaires specific to each policy that will score users' understanding of that topic.
Administrators can assign a score for each correct answer to the questionnaire and a minimum score to pass the test, for example. If users don't pass, the questionnaire can suggest a course of action, such as reviewing the appropriate documents. The results of each test appear in the administrative console for the benefit of the security manager, who can generate several reports or charts directly from the console to document how well users understand each policy.
Simple and effective, VPC's capability of evaluating users' understanding of security policies reduces training costs and creates a record to prove your company's good faith efforts in promoting and enforcing those policies.
Beyond IT
Interestingly, VPC is not limited to creating and distributing IT security policies. You can import existing documents in the product's database and take advantage of its publishing, training, and monitoring tools to ensure that users are well-acquainted with sensitive issues such as evacuating the building in an emergency, responding to threatening telephone calls, or dealing with unacceptable workplace behavior.
Making sure that employees know what to do in such circumstances can save lives and protect your company from liability and embarrassment. In fact, companies can often be held responsible for the actions of their employees, such as in a sexual-harassment dispute, and the company must be able to prove that proper policies were enforced. VPC offers an easy, viable solution to educate your users and to keep records of it. This feature alone justifies acquiring the product.
In the ongoing effort to make businesses more secure, companies often overlook the most important factor of security: the human element. VPC's unique features offer an affordable and user-friendly platform to make sure that your users understand what is required from them.
Furthermore, VPC's built-in integration with VigilEnt Security Manager (another product from PentaSafe that audits machine activities on client-server and AS/400 platforms) creates a common point of control for computer and human security policies. This is more than you can find elsewhere, so we recommend deploying the upcoming PentaSafe VigilEnt Policy Center 2.0.
| THE BOTTOM LINE: BETA |
| VigilEnt Policy Center 2.0 |
| Business Case: Ensuring that your employees understand security guidelines can protect your company from financial loss and negative public exposure. VigilEnt Policy Center simplifies document distribution and offers tools to monitor user acceptance and understanding of policies. |
| Technology Case: Limited to the Windows platform, VigilEnt Policy Center integrates easily with existing e-mail servers, Microsoft IIS Web servers, and SQL Server databases. Browser-based clients minimize user installation issues, and built-in import features simplify the process of adding users and groups. |
| Pros: + Simple, nontechnical user interface + Web-based policy publishing and user training + Automated monitoring of user acceptance and understanding + Compatible with common document formats |
| Cons: - Some UI inconsistency |
| Cost: License fee is US$12,500, plus $4.50 to $17.00 per user per year, including support and upgrades. Per-user fees depend on number of users and subscription length. |
| Platform(s): Windows NT 4.0 and Windows 2000 with IIS or built-in Web server. Client runs inside Microsoft and Netscape browsers. A SQL Server database for policy repository is recommended. |
| Company: PentaSafe Security Technologies Inc., www.pentasafe.com |
| Shipping: June 2001 |
InfoWorld