Open-source compliance
Making sure a network is secure also means complying with various regulations such as the Payment Card Industry data security standard, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act to protect consumers' financial information.
There are many reliable open source tools to comply with these regulations, although it can be hard to convince auditors that these programs are credible, said Jeremiah Cruit-Salzberg, a security architect for Fair Isaac .
"A lot of times, auditors don't like open source [because] it's a free thing, something you download," said Cruit-Salzberg in a session titled "Using open source tools for regulatory compliance and how to make your auditors accept it."
Documentation is critical, he noted. "Everything needs to be documented. If you don't document things, you will run into trouble, especially with open source."
The most valuable open source tool for compliance is Open Office , because it offers great ways to organize documents, Cruit-Salzberg said.
To convince an auditor that your open source tool is reliable, you should make sure it has a good commercial support system behind it, he said. If your open source tool can effectively keep track of data, but an auditor is still skeptical, it might be time to hire a new auditor.
"If they are not going to work with you, it is vital for you to go find another auditing company. Because to change everything you're doing costs you a lot more money and a lot more grief," Cruit-Salzberg said.
Collecting system logs is another vital part of compliance, and this task can be handled by open source tools such as SNARE and Zenoss , Cruit-Salzberg said. Some open source tools are not organized well and should be avoided, but overall open source is gaining acceptance, he said.
"There are very few issues that can't be resolved with an open source tool today," he said.