1. Field of the Invention
The invention relates generally to systems and methods of verifying and monitoring security controls for a plurality of managed computers.
2. Background Information
Computer system security controls are particularly important in computer systems used in businesses in light of the heightened risk of damage to or compromise of the respective computers and/or the data stored thereon from intruders to the system. The damage may incapacitate individual computers, corrupt or release data stored thereon and/or compromise the company and/or individuals, both inside or outside of the company, that supplied or produced the data. The intruders may be viruses, malicious or non-malicious hackers, and so forth. While computer operating systems generally have certain built-in security control features, the features may be overridden, ignored or turned off.
The United States government has published recommended security controls for information systems. See, NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” and FIPS Publication 199, “Standards For Security Categorization of Federal Information and Information Systems” published by the U.S. National Institute of Standards and Technology. In addition, an overall system or group administrator may devise more or less stringent security controls for individual computers or groups of computers, depending in part on what type of data are stored on or manipulated by the respective computers.
To ensure that the organization as a whole, and also its respective groups, are operating in a manner that complies with the applicable federal and/or system administration security control requirements, the respective computers must be individually checked. Thus, the security control settings of the individual computers must be compared to applicable security benchmarks, to determine if the settings are in compliance. Further, to ensure continuing compliance, the security control settings of the respective computers should be individually re-checked against the applicable security control requirements on a regular basis.
The task of determining if the appropriate security controls are in place on the respective computers is not only time consuming but complex, particularly when the security control requirements may vary by group and computers may at any time be added to various groups or re-assigned among the different groups. The task of ensuring that the security controls are in place is made even more difficult by users who, at various times, modify the operations of their respective computers by installing applications and in doing so change, for example, security control settings for the file system, services, user accounts, and so forth. In addition, changes to the computers, such as installing operating system service packs, are problematic to security control verification since different benchmarks may apply. Further, the operations of a given group may change, such that different types of data are stored on or utilized by the member computers, and thus, different security control requirements should be used by the computers in future security verification operations.
Accordingly, there is a need to associate the appropriate collection of desired security control settings or benchmarks with the respective groups and verify compliance of the individual member computers with the appropriate security control benchmarks. Further, there is a need for continuous monitoring of the compliance of the individual computers, to ensure that changes to the group memberships and/or to individual computers do not result in a failure to meet the applicable security control benchmarks.
The inventive security control verification and monitoring subsystem described herein operates in a managed computer system in which clients at the respective computers, or administrators and scripts using a clientless profiling application, send to a server computer profiles that include computer configuration data, such as data that identifies the computer hardware and software. The profile may also include other information, such as, for example, associated software license information, performance data, and other user specified data. The server includes the profile data in a computer information database and manages the data according to a tree-structured grouping of the computers. The tree structure, which is designated by the system administrator, may, for example, follow the organizational chart of a company, with the top level node, or group, corresponding to the company and lower level nodes, or groups, corresponding to the various branch offices, and so forth. As an example, the computers may be grouped according to their IP subnets that correspond to company branch offices.
The server manipulates the profile data to produce reports that summarize the attributes of the computers at every group level, with reports for a given group including the profile data for all computers in the sub-tree that has the group as its root. One such computer information database management system is the BelManage system (version 6) produced by Belarc, Inc., of Maynard, Mass., which is the Assignee of the current invention.