Conference to put spotlight on compliance

As compliance responsibilities fall more in the laps of security professionals, vendors are responding with products and services designed to make understanding and reporting on risk and compliance more accessible.

At the Computer Security Institute (CSI) Conference in Washington, D.C., this week, a number of vendors, including NetIQ, Consul and ConfigureSoft, will unveil new or updated offerings aimed at making it easier for companies to assess risk and gauge their compliance with federal and industry regulations. The conference, in its 32nd year, is expecting 3,000 attendees. It also features for the first time a compliance track with nine presentations covering topics such as compliance management, consumer breach notification statutes and privacy.

But why is compliance of such interest to security professionals? "It's not, but we're seeing more and more security managers made responsible for compliance," says Khalid Kark, a senior analyst with Forrester Research. "That's why it's a big deal for those people to know what's going on in the industry, what the regulations are and how to comply."

This trend toward making security professionals responsible for compliance began a few years ago but has picked up significantly over the past year, because of "a lack of companies being able to find someone else," Kark adds. "Since security [professionals] already have related responsibilities, to be fair it probably makes sense; you don't want to have several different efforts in trying to do the same kinds of things."

At the conference, NetIQ plans to announce its Risk and Compliance Center. This software centralizes and analyzes data from NetIQ's security products regarding configurations, policy compliance and vulnerability to create a management console for quickly gauging compliance of a company's IT controls, says Chris Pick, the company's vice president of corporate strategy. The console works as an "executive dashboard" to extract technical data regarding compliance and risk management and display it clearly, he says.

NetIQ Risk and Compliance Center is priced starting at $40,000 and slated for availability before year-end.

Also at the CSI Conference, Consul Risk Management plans to announce Version 6.0 of its Insight suite of security auditing and compliance tools. New features include an option to automatically generate security policies, new end-user filtering abilities and improvements to the suite's management module, company officials say.

Consul is addressing the intersection of compliance and security by tracking and reporting on malicious and unintended security policy violations, so that a compliance record can be established. The company calls its approach the W7 methodology, determining who, what, when, where, where from, where to, and on what to monitor and analyze activity. The upgrade is priced at $40,000.

Another company, Configuresoft, is focusing on the compliance of IT systems for companies that handle credit card data. The company's Enterprise Configuration Manager/PCI DSS Continuous Compliance toolkit aims to help vendors and merchants covered by the Payment Card Industry Data Security Standard (PCI DSS) that governs the security of credit card data.