Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

•   Security Management
  •   Analyze Security Threats, Vulnerabilities and Risks

Details

IBM® Tivoli® Security Compliance Manager is designed to help organizations analyze exposures and risks in their IT environment. Through an extensible data collection mechanism, powerful policy, and client management functionality and extensive reporting capabilities, Tivoli Security Compliance Manager provides organizations with the ability to easily assess the overall compliance of IT systems in accordance with defined corporate security policies. This ability to quickly assess corporate systems provides valuable data and insight into the existing exposures and risks of these systems and provides a basis for formulating mitigation plans.

Tivoli Security Compliance Manager Policy objects provide tremendous support for identification of IT security exposures and risks. While the policy objects are a flexible mechanism of defining corporate security, compliance targets, and rules for IT assets, Tivoli Security Compliance Manager fully exploits its server-client architecture to allow rapid deployment of policy objects and security assessment of the corporate assets. The ability to quickly deploy security policies and gather assessment data allows organizations to quickly perform security exposure and risk analysis on a continual basis without a large commitment of resources. This ability subsequently allows more time for planning necessary mitigation actions and the allocation of resources on work that improves the overall security of IT assets.

Much like policies, the server-client architecture of Tivoli Security Compliance Manager also enhances its ability to quickly assess corporate systems. In particular, the ability to logically group clients makes it extremely easy to manage and maintain security policies that are applied to various groups of assets. This feature also allows users to partition corporate assets in such a way that different levels of security requirements can be applied and prioritization, ownership, or task distribution of security assessment and mitigation is possible.

As Tivoli Security Compliance Manager policies and server-client architecture provide the ability for users to quickly gather vulnerability data on corporate systems, the Tivoli Security Compliance Manager collector design is the component that provides the breadth of security vulnerability data. Tivoli Security Compliance Manager collectors are self-contained, easy-to-develop, 100% Java™ components that gather a specific set of data on a client. They are stored, maintained, and managed centrally on the Tivoli Security Compliance Manager server. These components, like Tivoli Security Compliance Manager policies, can be easily updated and deployed to Tivoli Security Compliance Manager clients. Working in conjunction with policies and compliance objects, they gather security information of interest and provide the ability to produce security assessment on a broad and extensible range of security targets.

The reporting capability of Tivoli Security Compliance Manager rounds out the vulnerability identification and mitigation function. The ability to generate snapshots of client security compliance information with respect to the applied security policies provides users with a continually updated view of current and existing vulnerabilities on corporate assets. The generation of these reports can be automated using user-defined schedules further automating and simplifying the vulnerability assessment process. With the use of Crystal Enterprise Server, additional graphical operational reports are available that provide a more visual and easily consumable view of existing security issues.

An approach to use Tivoli Security Compliance Manager for IT security exposure and risk analysis is outlined here. Aspects of this approach are most likely parts of the vulnerability identification processes of most organizations. It is provided here as an example of how Tivoli Security Compliance Manager can be used for identification of IT exposures and risks. Instructions on how to interact with and use Tivoli Security Compliance Manager objects to achieve this result can be found in the Tivoli Security Compliance Manager Administration Guide.

• Register corporate clients and create the appropriate client groups. Some common methods for logically associating clients are by operating system, by owning department, by region, or asset classification (whether it is a critical system, whether it is a public system, and so on.)
• Define corporate security policies with Tivoli Security Compliance Manager that provide and guarantee the required standard of security on these assets. For example, a Windows XP® policy that requires systems running Windows XP OS to have service pack 1 installed; certain OS level hotfixes installed; an antivirus application installed, running and scanning on a weekly schedule; and a running software firewall with the appropriate network rule set.
• Add these to the appropriate Tivoli Security Compliance Manager client group where they can be set up to gather security compliance assessment on a regular basis.
• Update and deploy Tivoli Security Compliance Manager policies, collectors, and compliance objects as new vulnerabilities and additional security checks are required on the corporate assets. IGS provides a newly announced Vulnerability Index (http://www-1.ibm.com/services/us/index.wss/so/bcrs/a1008776) where daily vulnerability updates can be added to a corporate Tivoli Security Compliance Manager security and compliance deployment.
• Develop additional collectors and deploy them into IT environment using temporary policies and client groups to collect sample data that is not necessarily directly related to corporate security policies. For example, develop a collector to count system access attempts and deploy it for a finite amount of time on critical servers to see when they might be vulnerable to increase network load or even potentially detect irregular access patterns. If appropriate, add these collectors to corporate security policy.

For More Information

For more information about this tool, click on the link for this tool at the top of this page.