IBM Tivoli and Cisco manual Security policy life cycle management

The security compliance process for desktops and mobile clients can be simplified to look like this:

1.Apply security policy.

The first step in setting up a health check process is to make sure the required security control settings of the enterprise security policy are audited.

2.Check control settings and compare to security policy.

With the NAC in place the health check audit is automated and takes place every time the client connects to the network. This approach is very efficient in terms of protecting the network. However, additional security means may be required to protect the clients themselves (and information that they may contain) when they are operating outside the corporate network.

3.Address deviations.

The system owner has to be informed about the findings of the health check process. Usually a list of deviations is presented to the user in a pop-up window and the noncompliant workstation is refused access to the corporate intranet.

4.Correct settings.

As the configuration of the client tends to be unified and is regulated by a separate policy, there is no need to test the changes on every client. All requested changes should be applied as soon as possible either through the manual process according to designated instructions or in an automated way.

5.Report compliance status.

The audit team creates security compliance status reports for management and external audit purposes on a regular basis. These reports document the number of noncompliances found, the progress of the new policy deployment, and so on.

2.3.2Security policy life cycle management

In any organization, Information Technology resources are very important assets that are critical to business success and must be protected from unauthorized users without sacrificing integrity, availability, and confidentiality. Organizations must keep their IT security policies current and assess compliance regularly. Conducting regular security-education sessions for employees is a good idea.

The most important aspects of a security policy are identifying a threat, assessing the risk associated with it, providing means to protect critical data, and maintaining integrity and confidentiality without any compromise. Security policy creation is an ongoing process; all policies require constant review and amendment as necessary to suit the organization’s business model. If for some

30Building a Network Access Control Solution with IBM Tivoli and Cisco Systems