New software from Symantec Corp. may help make it easier fororganizations to comply with various regulations likeSarbanes-Oxley and PIPEDA.
Released in March, Symantec BindView Policy Manager 3.0 allowsorganizations to do three key things to help with policy andcompliance management, according to Indy Chakrabarti,product-marketing manager for Symantec.
BindView Policy Manager lets organizations create policies byeither importing existing ones or using sample templates providedin the program. Using these templates, it is possible to create amalware policy that states anti-virus is installed, up-to-date andrunning in the organization as well as attest that people have readthat policy.
Policy Manager also allows organizations to validate compliancewith regulations and frameworks, something for which manyorganizations have often struggled, said Chakrabarti.
“It can take large organizations forever to do audits forcompliance. They will have multiple audits ongoing and have tore-do audits for every regulation in every quarter,” he said.Auditors are usually working from multiple spreadsheets withhundreds of sub-objectives or policies to make sure they arecomplying with multiple regulations, he added.
Chakrabarti said Policy Manager eases the workload on auditorsby breaking down all of the regulations and frameworks into basicunits that are common across all and allows links to those units inorder to control statements that might, for example, ensureanti-virus is installed within the organization. Through theselinks an organization can demonstrate compliance with requiredregulations, he said.
The software also lets organizations demonstrate compliance.Policy Manager places all compliance information gathered fromdifferent IT administrators and anti-virus tools, backup and dataprotection programs into one location rather than having to obtainthe information from individual sources each month. For example,information that showed anti-virus did run on a particular serverwould be stored with the malware policy.
However, Chakrabarti said Policy Manager only informsorganizations that there are compliance problems. It doesn’t fixthem. If the program discovers any non-compliant servers orworkstations, then a second software program such as Symantec’sCompliance Manager 3.0 is needed to solve the problem.
“Regulations actually require you to have segregation of dutieswhere one person reports on compliance issues and another fixesthings,” Chakrabarti said. .
James Quin, a senior research analyst with London, Ont.-basedInfo-Tech Research Group, said using policy management softwarelike Symantec’s provides savings. He said it costs an averagepublic company millions of dollars a year to hire third partycompliance auditors.
“Sarbanes-Oxley compliance is a specialized field and requires asignificant amount of man power,” Quin said. Having a tool thateasily validate compliance shortens the time required to provecompliance and cuts the cost, he said.
However, Quin reminds organizations that compliance is somethingnot achieved by software alone.
Software programs only establish guidelines and allow anorganization to know what needs to be done to ensure compliance, hesaid. Tools can also set up measures to assess whether employeesare actually following these policies.
“A product like Policy Manager can’t make you compliant. Itfalls to employees in an organization to make sure they have readthose policies.”
Quin said he believes companies are better off working with aprofessional consultant rather than using a software program.Regulatory compliance can be an extremely complex process.
He said policy management software is useful for general policymanagement, especially for organizations that cannot afford to hirea professional consultant.
Symantec BindView Policy Manager 3.0 is based on a flat chargeper user and per content module price.
