The reason the system seeks to break policies down in this way, is because compliance policies are incredibly detailed and complex and the language used in compliance controls is so obscure that it is very difficult to grasp exactly what is required.

For example, this is the very first control that you come across within the ISO27001 policy:-

In order to make sense of this Control, it is easier to break it down into a series of simple questions, such as:-

• Does an Information Security Policy document exist?
• Has the Policy Document been approved by Management?
• Has the Information Security Policy Document been Published?
• Has the existence of the Policy been communicated to all employees?
• Is there a definitive list of entities, organisations and individuals who are considered to be relevant external parties?
• Has the existence of the Policy been communicated to all relevant external parties?

As you can see, when broken down in this way, this single control statement actually represents 6 individual questions. Each question is very easy to answer and, more importantly, what is needed to become compliant and to demonstrate that compliance to an auditor becomes much more obvious.

The Compliance Tracker allows Compliance Managers to break down compliance policies into more easily managed questions and tasks in exactly the same way. Alternatively, it is possible to use Policy Templates that have already been broken down in this way by Pervade specialists, such as PCI-DSS, ISO27001 and CESG. Once the controls have been broken down the Compliance Tracker allows users to re-arrange the questions and tasks into an order that better suits them, their organisation and their environment. It is also possible to delegate questions and tasks to other users and contributors within the organisation and create complex workflows of contribution, validation and sign-off.

All contributors can log into the Pervade User Interface and see only the policies, questions and tasks that have been allowed to them. The easy-to-use UI guides them through answering their logical questions with a simple Green-Amber-Red dashboard system to demonstrate their progress.

As the contributors answer their questions they may also upload documentary evidence into the secure, tamper-proof, buit-in document store. In fact the system will demand evidence where it will be required by an auditor and the uploads will be linked to the overall compliance score.

For logical questions, users are not only able to track their attestation and upload evidence, they can also use the built-in workflow to collaborate with collegues and managers, declare compensating controls, track the costs associated with actions required to become compliant and also track the risks associated with remaining non-compliant. Data from all of these areas can be easily summarized and displayed.

For technical questions the Compliance Tracker is able to automatically audit the data collected by the Data Collector component of the Pervade platform and associate the data collected to the appropriate Control or Requirement. This data can also be easily summarized and displayed

Perhaps the most impressive aspect of the Compliance Tracker is that it leverages a unique Unified Control Framework to monitor compliance with multiple policies simultaneously. The system automatically correlates the answers from every compliance policy with all other policies being tracked by the system and binds the answers given to all corresponding questions and tasks across multiple policies. For example, the Control we used earlier is A.5.1 in the ISO27001 Policy. It is very similar to control 1.0 within Requirement 12 of PCI-DSS which asks the same question - "Is there an Information Security Policy Document?". Therefore if a user answers "Yes" to ISO27001 A.5.1, the system will automatically update the compliance score of PCI-DSS Requirement 12.1.0. In this way, compliance related questions and tasks only ever need to be addressed once even if the same requirements appear in many policies.

Pervade take a completely different approach to traditional systems. In the spirit of Pervasive Monitoring, the Pervade Data Collector allows administrators to leverage an easy-to-use wizard within the User Interface (UI) to set up their own queries instead of only being able to use the queries that some developer has pre-configured into a system. Queries can be of various types. Here is just a sample of some of the query types available within the Pervade platform:-

• SNMP
• SSH
• Telnet
• WMI
• MS-SQL
• MySQL
• Oracle
• Windows File Share
• FTP
• Web
• VMware & XenServer HyperVisor
• NMAP
• Flow data

Having a system that lets you create your own queries, rather than a system where the developers decided what queries you should have, means that you can create exactly the right queries, to gather the very targeted and specific information required by whatever policies and frameworks you want to be compliant with - and no more! The Pervade Data Collector can be configured to run ALL of the queries you need and ONLY the queries you need.

The Data Collectors can also be installed at other locations. This means that you can gather compliance related data from other offices, business units or subsidiaries from anywhere in the world and have that data sent securely back to your Compliance Tracker. The Data Collector can do all of this without needing to install any agents, probes or robots on any of the endpoint devices. In addition, all of this data can be collected from remote sites without the need for any NAT Rules on Firewalls, dedicated VPNs or having to open any inbound ports on remote site gateway appliances.

All remote Data Collectors only require one thing to be able to connect properly, a connection to the Central Controller on port 80 over HTTP. Despite all traffic between the Pervade components being fully encrypted at 256bit and compressed, Pervade allow all of this traffic to flow over port 80 because it is one port that almost every remote site will have available, either to the internet or to the data center.

As you can see, the Pervade Software Data Collector is far more powerful than the collection elements of any other system on the market and yet, at the same time, it is the simplest methodology available, saving you time effort and money whilst giving you the perfect tool for gathering ALL of your compliance related data using a single system.

Once data from the Pervade Data Collector enters the System Analyzer it is normalized using a unique parsing engine that never drops ANY data (a key requirement of almost all compliance policies that no other system can guarantee). Out of the box, the System Analyzer supports ALL forms of data from ALL devices so no device is unsupported (and so no need for a Compatability List). The unique database allows data to be stored as objects which, in turn, allows the System Analyzer to be one of the fastest and most scalable systems in the world.

The Compliance Tracker and Data Collector components of the Pervade platform work together to collect all of the data required for the Technical and Logical Controls of a compliance policy. Once that data is collected, dashboards and reports can be produced to demonstrate compliance status and progress to contributors, managers and of course, the Auditor, using the System Analyzer.

All data is automatically aggregated to provide extremely fast reporting, even when data is collected and stored over very long periods of time. This aggregation process helps to reduce the disk space required by up to 60:1 over traditional monitoring systems, a real cost saver for large organisations whose data loads can become very large very quickly.

Although all data is aggregated for reporting purposes, raw and non-reports data can also be stored by the system to meet regulatory requirements and to be used by System Analyzer's built-in forensics engine. The Forensic Search facility can be made available to users of all levels and can search all source data at more than 20,000 records per second making it one of the fastest forensic functions on the market.

Administrators of the Pervade platform may use the System Analyzer's easy to use wizards to build a completely customized User Interface (UI) for users. With the Role Based Access Control (RBAC) provided by the system it is even possible to create a seperate User Interface for each and every user as well as restrict which devices, data types, charts and dashboards each user has access to.

Administrators of the Pervade platform may use the System Analyzer's easy to use wizards to build a completely customized User Interface (UI). They can create, remove and edit charts, tables and diagrams based on any of the data collected by the Data Collector, and add any of these charts to dashboards which can be displayed on tabs within the system that they also create. By being able to create, edit and remove every single chart, dashboard and tab within the UI, administrators can build their own monitoring system that displays their data exactly the way that they would like to see it.

As you can see, the Pervade Software System Analyzer is by far the most powerful correlation and aggregation engine available today and yet, at the same time, it can be configured to correlate and report on ALL of your compliance related data - Technical and/or Logical - through a single customisable portal.