Modulo Risk Manager
November 01, 2016
Starts at £15,300 annually for SaaS.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Solid next-generation GRC tool that now covers all of the bases, not just IT risk and policy management.
- Weaknesses: We would like to see 24/7 support hours for premium support.
- Verdict: This is a gold standard of GRC systems. It has all of the bells and whistles that you need and just about nothing that you don’t.
Modulo Risk Manager is a perennial favourite around here. However, in the past it has had a distinctly traditional look and feel to it. Now it has been acquired by SAI Global, an Australian public company, and integrated into SAI's overall risk management suite and the integration shows. There is a lot more automation evident than we saw last year and the approach is less traditional and more up to date. One of the new capabilities this year that contributed materially to Modulo's acquisition by SAI Global was the introduction of threat intelligence, but Risk Manager also is known for third-party (vendor) risk and reputational risk analysis.
The product still is based on the same five core modules that it was last year: Risk Management, Compliance Management, Policy Management, Workflow Management and Knowledge Management. All five of these modules are so tightly integrated that the feel is that of a single product which, of course, is the intent. Within these five modules you can create multiple joins from assets to operational groups. This gives a historical view with heavy live filtering capabilities. Reports can be built from these screens (organisational risk by business component and asset) for various audiences, making reporting one of Risk Manager's strong points.
Risk Manager supports four types of assets: Environment, Person, Process and Technology. There is no coding necessary - everything is available to be configured with a mouse click. This means that you can create surveys that a third party can fill in - all automated and all out of the box. Additionally, you can create a self-registration portal that lets the third party login and answer the survey. There is a module creation capability with mouse clicks that pulls from existing DB entries, such as names.
Smart workflows are a key capability. As well, threat intelligence sources are embedded with external websites making this a next-generation product.
For control-based risk assessment, the tool addresses Analysis, Inventory, Evaluation, Treatment - all control-based risk assessments use these four pieces. You can create interviews based on controls for the various applicable standards (hundreds of controls are available out of the box) and that include details. Scoring is predefined and consists of Probability, Severity and Relevance. Surveys can be created that force the respondent to provide evidence.
There are lots of collectors for various devices that can gather evidence automatically for the compliance reports. This product is hugely flexible with significant drill-down. Remediation is tracked under Treatment. The workflow engine is very powerful and easy to use - all access and setup is from the admin console so there is no programming required.
Further, access controls are role-based and there is a solid audit trail covering the use of the tool.
While Risk Manager does not do its own auto discovery it can consume output of vulnerability scans and it has a lot of third-party integrations. It can consume xml as well as other file formats for asset mapping. The product tracks remediation and automatically decides what gets remediated. It then performs closed-loop remediation.
The product has mobile device support for approvals and conducting assessments.
Support is solid although we would like to see premium support 24/7. The website largely is a marketing site. Documentation is solid. We have seen quite a few improvements over the past year in functionality, which already was superior.
Overall, we see an improved product and this is one of those rather unusual times when an acquisition actually offers improvement to the product without the product's technology simply being subsumed by the acquisition.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- Same fate befalls Post Office broadband as hit DT?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Former Expedia IT employee admits to hacking execs from the inside
- Cyber-insurance: What will you be able to claim for and is it worth it?
- Levelling the playing field against targeted attacks
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime
- IoTSF conference: EU should become de facto regulator