How can you confirm your systems are configured appropriately and maintain that configuration over time? In our tests, Preventsys Network Audit and Policy Assurance 1.5 proved to be a flexible, easy-to-use product that earned accolades as a World Class Award designee.The growing number of\u00a0security\u00a0policies and regulations companies are required to follow - the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, for example - creates high demand for policy-compliance products. But how can you confirm your systems are configured appropriately and maintain that configuration over time? In our tests,\u00a0Preventsys\u00a0Network Audit and Policy Assurance 1.5 proved to be a flexible, easy-to-use product that earned accolades as a World Class Award designee.Preventsys takes the results of vulnerability assessment scans and compares them with defined policies, looking for systems that are out of compliance. By default, open source tools Nessus and Nmap are used for scanning, but many third-party products, including\u00a0Internet Security Systems'\u00a0Internet Scanner and\u00a0eEye Digital Security's\u00a0Retina, also are supported. Preventsys uses\u00a0XML \u00a0at its core, so you are only limited by your ability to get your audit results in an XML format that the Preventsys product can then analyze. How we did it Archive of Network World reviews Subscribe to the Product Review newsletterThe system comprises three main servers: the audit, compliance and database servers. The audit server runs scans. The compliance server performs all the analysis and processing of the scan results. Users tap into the whole system via a Web-based console that's communicating with the compliance server. The database (PostgreSQL by default, but Oracle also is supported) server stores all the data, both raw and analyzed.Preventsys shipped three Shuttle systems containing 2.4- or 2.8-GHz Pentium 4 processors, each with 1G byte of RAM for our testing, but customers only receive the software and professional services for installation. The Web interface is intuitive and easy to use. We created new users, defined networks and hosts, and launched a scan in a matter of minutes.We were impressed with the level of detail at all configuration levels. For example, user permissions are segregated between scanning, analysis, reports, remediation updates and remediation assignment activities. This segregation, combined with definable network\/host permissions, means you could tailor its security parameters to fit almost any organizational structure.Preventsys includes an array of default policies, such as the SANS Top 20 and or your own list of e-commerce servers. A number of policies also are developed from National Security Agency and National Institute of Standards and Technology guidelines. Additional policies that Preventsys developed are included in the built-in Policy Library Update function of the product. A rollback function also is available for easy removal.Preventsys provides several methods to create and update policies. The most direct is to modify the XML code yourself. For a more template-driven approach, the Web interface includes some policy development functionality. A third option is to use the separate Windows-based Policy Lab application that Preventsys provides to design and create new policies.Preventsys can be configured in a number of ways, support myriad scan reports in XML and run any policy created against any scan data. A strong feature is the ability to re-analyze scan data, meaning you can run a policy comparison against scan data at any time. This works great for those companies that have specific windows for systems scans, but might need to check new policy compliance at any time.Reporting is another strong point of Preventsys. The system includes a number of default reports, including executive summaries, compliance, trends, remediation tasks and individual network\/ host reports. Each report can be published so it is easily accessible through the administration interface. Additionally, reports can be exported to a PDF and saved offline. Preventsys Network Audit and Policy Assurance System 1.5 RATING 4.9 Company: Preventsys, (760) 268-7800 Cost: Ranges from $65,000 for 1,000 nodes to $375,000 for 20,000 nodes. Pros: Highly customizable with XML infrastructure; excellent user interface; ability to analyze multiple policies with one set of scan results. Cons: Pricey. \u00a0Ease of use\/flexibility 25%\u00a0 5.0 Reports 25%\u00a0 4.8 Policy development 25%\u00a0 5.0 Remediation 25%\u00a0 4.8 TOTAL SCORE 4.9 \u00a0Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar Preventsys has integrated the ability to calculate your financial risk. When defining assets within the system, you can enter the cost of the system in terms of the price of the machine or the value of the data on that machine. These numbers are used during the report-generation phase to calculate various risk levels if either the machine or its data is compromised.Remediation assignments - where you define who on your staff is responsible for fixing certain vulnerabilities - are easily managed through the system. Because Preventsys supports a number of different tools, you can hand out remediation assignments for vulnerabilities detected from multiple scanners from this central place. Once assigned, the assignee then can update the task with the results of their investigation and note any action taken as a result.Preventsys also can include a wireless module that will analyze a wireless infrastructure for security weaknesses. We did not test this module.Overall, Preventsys provides a strong central control point for vulnerability analysis, policy compliance, remediation tracking and reporting. With the growing list of security requirements, centralized policy compliance reporting eases the job of security managers.