Automated systems can regularly query systems to verify compliance. For example, the security policy may dictate that specific protocols be removed or specific services be disabled. For instance, the policy may require password-protected screen savers. An automated system can query the systems to determine if these settings are enabled and match the gold master.

Many automated tools include scheduling abilities. You can schedule the tool to run on a regular basis. Advanced tools can also reconfigure systems that aren’t in compliance. All you have to do is review the resulting report to verify systems are in compliance. For example, assume your company has 100 computers. You could schedule the tool to run every Saturday night. It would query each of the systems to determine their configuration and verify compliance. When the scans are complete, the tool would provide a report showing all of the systems that are out of compliance, including the specific issues. If your organization is very large, you could configure the scans to run on different computers every night.

Microsoft provides several automated tools you can use to manage Microsoft products. Although Microsoft isn’t the only tool developer to choose from, it does have a large installed base of computers in organizations. It’s worthwhile knowing which tools are available. These include:

• Systems Management Server (SMS)—This is an older server product but is still used in many organizations. It combines and improves the capabilities of several other products. It can query systems for vulnerabilities using standard methods. It can deploy updates. It adds capabilities to these tasks, such as the ability to schedule the deployment of updates and the ability to push out software applications.
• System Center Configuration Manager (SCCM)—SCCM is an upgrade to SMS. It can do everything that SMS can do and provides several enhancements. SCCM can deploy entire operating system images to clients.

In addition to the Microsoft products, there is a wide assortment of other automated tools. These can run on other operating systems and scan both Microsoft and other operating systems such as UNIX and UNIX derivatives. Many scanner types and versions are available. The following are several that are on the market today:

• Nessus—Nessus is considered by many to be the best vulnerability scanner. Nessus was being used by more than 75,000 organizations worldwide before it switched from a free product to one you had to purchase in 2008. For several years there was a free personal edition, but no more. However, it is considered by many to be well worth the cost.
• Nmap—Nmap is a network scanner that can identify hosts on a network and determine services running on the hosts. It uses a ping scanner to identify active hosts. It uses a port scanner to identify open ports and likely protocols running on these ports. It is also able to determine the operating system.
• eEye Digital Security Retina—Retina is a suite of vulnerability management tools. It can assess multiple operating systems such as Microsoft, Linux, and other UNIX distributions. It also includes patch deployment and verification capabilities.
• Security Administrators Integrated Network Tool (SAINT)—SAINT provides vulnerability assessments by scanning systems for known vulnerabilities. It can perform penetration testing that attempts to exploit vulnerabilities. SAINT runs on a UNIX/Linux platform, but it can test any system that has an Internet Protocol (IP) address. It also provides reports indicating how to resolve the detected problems.
• Symantec Altiris—Altiris includes a full suite of products. It can manage and monitor multiple operating systems. This includes monitoring systems for security issues and deployed patches.
• OpenVAS—This is a widely used vulnerability scanner. It will also check for missing patches and updates.

It’s also possible to use logon scripts to check for a few key settings. For example, a script can check to see if antimalware software is installed and up to date, or if the system has current patches. The script runs each time a user logs on.

Some organizations quarantine systems that are out of compliance. In other words, if a scan or a script shows the system is not in compliance, a script modifies settings to restrict the computer’s access on the network. The user must contact an administrator to return the system to normal.

You can also perform random audits to determine compliance. This is often useful when IT tasks have been delegated to different elements in the organization. For example, a large organization could have a decentralized IT model. A central IT department manages some core services such as network access and email, and individual departments manage their own IT services. The organization still has an overall security policy; however, the individual departments are responsible for implementing them. In this case, the central IT department could randomly audit the departments to ensure compliance. Some larger organizations employ specialized security teams. These teams have a wide variety of responsibilities in the organization such as incident response and boundary protection. They could also regularly scan systems in the network and randomly target specific department resources.

It’s important to realize the goal of these scans. It isn’t to point fingers at individual departments for noncompliance. Instead, it’s to help the organization raise its overall security posture. Of course, when departments realize their systems could be scanned at any time, this provides increased motivation to ensure the systems are in compliance.

Many organizations use a report card format to evaluate policy compliance. These report cards can be generated from multiple sources such as a quality assurance program. Organizations can create their own grading criteria; just as in school, a grade of A is excellent whereas a grade of F is failing. The included criteria depend on the organization’s requirements. For example, the following elements can be included in the calculation of the grade:

• Patch compliance—This compares the number of patches that should be applied versus the number of patches that are applied. A time period should be considered. Patches that close major vulnerabilities might be considered critical and must be applied sooner. For example, the organization could state a goal of having 100 percent of critical patches deployed within seven days of their release. The only exception would be if testing of a patch verified that the patch caused problems.
• Security settings—The baseline sets multiple security settings. These should all stay in place. However, if an audit or scan shows that the settings are different, it represents a conflict. Each security setting that is not in compliance is assigned a value. For example, every setting that is different from the baseline could represent a score of 5 percent. If scans detect three differences, the score could be 85 percent (100 percent minus 15 percent).
• Number of unauthorized changes—Most organizations have formal change control processes. When these are not followed, or they do not exist, changes frequently cause problems. These problems may be minor problems affecting a single system or major problems affecting multiple systems or the entire network. Every unauthorized change would represent something less than 100 percent; for example, 15 unauthorized changes within a month could represent a score of 85 percent, or a grade of B in this category.

Once you identify the rules or standards, you could use a spreadsheet to calculate the grades. An administrator could pull the numbers from the scans and enter them into the spreadsheet monthly. You could use individual grade reports for each department that manages IT resources and combine them into a single grade report for the entire organization.