Product Information

Acuity Risk Management STREAM Integrated Risk Manager

starstarstarstarstar

by Peter Stephenson November 01, 2015
Vendor:

Acuity Risk Management

Product:

STREAM Integrated Risk Manager

Website:

http://www.acuityrm.com

Price

Single user from £312 per year, multi-user from £2,644.

RATING BREAKDOWN

  • Features:
    starstarstarstar
  • Ease of Use:
    starstarstarstarstar
  • Performance:
    starstarstarstarstar
  • Documentation:
    starstarstarstarstar
  • Support:
    starstarstarstarstar
  • Value for Money:
    starstarstarstarstar
  • Overall Rating:
    starstarstarstarstar

QUICK READ

  • Strengths: Price and ease of use.
  • Weaknesses: A fairly vanilla offering without a lot of bells and whistles, which may pose some limitations on usefulness under certain circumstances.
  • Verdict: If you are a small to medium sized organisation, this tool will let you apply GRC to improving your risk posture. For this group, it is well worth the low price of admission.

STREAM is an integrated risk management tool delivered as a software product consisting of a database server, an application server and a client component. The client component can be a web server if you so desire. Multi-user deployments require an additional SQL Server implementation as well as an application server, although the two can be combined into a single machine.

The big value in this tool is a low price that brings a lot of functionality. While this solution does not have some of the sophisticated data import mechanisms found on much larger systems, neither is it anywhere near as expensive. For all of that, its reporting and analytics are impressive. It clearly is aimed at providing a useful risk management tool at a low price.

Once data is imported to the tool, it may be played against a number of standards as well as your own internal controls. There are lots of dashboards and drill-down that allow analysts to craft reports that view the organisation's risk position from a variety of perspectives. In addition, good workflow management allows creation of task sets for remediation and analysis.

The landing page is a general purpose dashboard and is typical of dashboards for this type of tool. It gives a quick graphical look at the organisation's risk posture at that moment. You can drill down for more detail and that detail exposes just about all areas of risk management the average organisation needs to address. As with most competent GRC tools, STREAM maps controls to standards and by tracking the controls also tracks the compliance with those standards.

Data can be input in a variety of ways - from manually to spreadsheets to direct feeds from vulnerability tests and threat monitoring. There is a lot of emphasis on assets and the impacts of threats and vulnerabilities on them, as well as their individual compliance with standards. There is a strong feature associated with this. You can map just about anything to anything, allowing a close inspection of where risks emerge and how to address them best. For example, you can map threat asset classes against control asset classes to determine how much applying a particular control to a particular asset will reduce the risk associated with that asset. This, in turn, is mapped back to the applicable control in the applicable standard.

There also is a detailed workflow capability that allows specific actions to be assigned to a particular group or individual, which then tracks the progress of the actions. Additionally, we liked the reporting capabilities. Lots of reports come preconfigured but it is not difficult to create entirely new reports. Some of these reports play against accepted standards, both actual and de facto. For example, there is a report that shows the organisation's performance against the SANS Critical Security Controls. This can be a management-style report with quick-review graphs instead of tables of numbers.

Because security events make up an important part of the risk picture, the tool has a good event management capability. This, really, is an extension of workflow management but is specialised toward events. The details of the event appear in a menu and the incident is then assigned to the appropriate individual or group for management.

Support is typical with a level of assistance included with the annual license fee and an enhanced level of aid available for 20 percent of the license fee. Support includes both email and phone. Standard aid guarantees a three-hour response and an enhanced one-hour response. The website is clean with a lot of information, including support access, a knowledge base and an FAQ. Pricing is excellent, putting this tool well within the range of most organisations, if only at the single-user level.

The website is clean with a lot of information, including support access, a knowledge base and an FAQ. Pricing is excellent, putting this tool well within the range of most organisations, if only at the single-user level.

Related Group Test

SC Webcasts UK

Sign up to our newsletters

FOLLOW US