META Security Group on Thursday will announce a new version of Command Center, an online system that now helps users develop, deploy and manage security policies. Command Center 4.0 also includes tools that not only alert users to potential vulnerabilities, but help them track the patching process.

"The most important thing in security isn't technology, it's the processes you have around it," says Patrick McBride, executive vice president and chief technology officer of META Security Group, based in Herndon, Va. Command Center helps companies develop policies and procedures, distribute them to all employees and help ensure they are being followed.

Command Center 4.0 includes enhancements that address the policy management from creation through deployment and tracking, McBride says. New wizards and an enhanced interface make the product significantly easier to use compared to earlier versions, which were more document-based.

Command Center 4.0 is entirely Web-based and is delivered according to an application service provider model, so there is no software or hardware to buy. It addresses three key processes: the policy management lifecycle, awareness and training, and vulnerability management.

In terms of policy, the product addresses seven categories: asset identification and classification, asset protection, asset management, acceptable use, vulnerability assessment and management, threat assessment and monitoring, and security awareness.

Specific policies and procedures fall under each category, with thousands of policy statements in total that users can employ as-is, or tailor to their needs. Additionally, there is a module specific to the Gramm Leach Bliley Act, with another coming soon for the Health Insurance Portability and Accountability Act.

The awareness and training section includes material to train both the end user population and the IT group on security issues. It includes Powerpoint presentations that customers can employ in training sessions.

For vulnerability management, META Security Group uses vulnerability data supplied by Security Focus, but tailors it such that each customer gets only the data that applies to the systems in their environment.

"That's half the battle," McBride says. "Making sure they do something with the data is the other half."

Toward that end, users can configure Command Center 4.0 to automatically create a task to patch a system when a new vulnerability crops up. The system can then track vulnerabilities by system or by administrator, so that managers can easily see which patches have not yet been applied.

Command Center includes a variety of options for how to deploy security policies once they are created. Users can link to the policy data from their intranet, post a full copy of the policy document, or ship out a link to the document in an email to all employees. Users can also opt to track acceptance, having users click on a link to indicate they have read the policy. That leaves a valuable audit trail detailing which users accepted the policy and when.

The system also provides customers access to security research content from the META Group and Auerbach Publications. "It easily pays for itself just based on the research," McBride says. Command Center 4.0 is priced on a per-seat basis, with a seat defined as a user who will edit policies and work with vulnerability data. Pricing is generally in the $50,000 to $150,000 range, although a package tailored for small and medium enterprises is available for less than $20,000.