Acuity Risk Management STREAM Integrated Risk Manager
Acuity Risk Management
Single user: from £328 per year, including support and software upgrades; Multi-user: from £2,800 per year, including support and software upgrades.
Strengths: Very good pure play risk management tool with a lot of reporting and customisation options. Good value, especially for consultants, something we almost never see.
Weaknesses: We wish that Stream did automated asset discovery and had a closed loop remediation platform instead of emailing a manager.
Verdict: Solid, versatile risk management tool that can fit organisations of just about any size – from the single consultant to large enterprises.
This is pure risk management. It takes control lists, threats and vulnerabilities, maps them across a risk landscape and reports in a format that is acceptable for some regulatory requirements. While it does not provide remediation or mitigation, it manages and tracks the process so reporting is always current. There are three modules to the product: the database server, the application server and the client component. It is on premises or cloud deployed and there is a single user version for consultants. If you opt for an on-prem deployment, the database server is SQL Server 2008 or later and the application server is Windows Server 2008 or newer.
Its standards mappings are based on ISO standards and it supports all of the applicable ones. The tool has a specific template for PCI reporting and that template creates reports in the format required by PCI auditors. The reporting is comprehensive and is, in fact, one of Stream's strongest points.
When it comes to vulnerabilities, there is good news and bad news. The bad news is that it does not do asset discovery directly - although you can input an asset list manually or from a database. The good news is that it manages vulnerability scans. When it discovers a vulnerability it records the asset information.
The tool automatically generates actions and remediation priorities. It then generates a workflow. Tickets are generated within Stream and linked to email. It does not, however, connect to external ticketing system. It is not really a ticketing workflow and is not automatically closed loop. When it finds an unfixed event - it records vulnerabilities as events - it does not recreate the event. Rather, it escalates the event to a manager for further action.
We dropped into the main dashboard, which consists of graphs that summarises the important statuses, such as residual risk (the risk remaining after remediation of discovered risks), events and, perhaps most important for the risk analyst, the remediation schedule based on discovered risks. These include risk and control assessments in process or pending, and status of actions.
The landing page is not user configurable but just about everything else is. Drill-down is very good, though a bit awkward at first since rather than drilling down from an element of one of the graphs on the landing page you drill down to the entire graph. You then can easily decompose the elements in considerable detail.
Something that we liked - and don't see often enough - is a way to manage the organisation's risk appetite. Different organisations approach risk differently. A financial or medical institution, for example, might have a very low tolerance for risk while other organisations might be a bit more risk tolerant. Stream allows a balancing of the organisation's risk aversion to regulatory requirements, thus, from an IT perspective, getting a truer picture of the risk position of the organisation.
Another unique capability is estimated risk delta. This helps management determine the order in which money is spent to remediate risks. Estimated risk delta shows the overall impact on the risk picture obtained by a particular remediation.
A core element of the tool is the risk register. This is flexible and drill-down is good. Workflows are generated automatically. From the auditor's perspective, all details - including attached documents, such as evidentiary materials - are readily available. The threat list is based on the SANS to 20 and mappings are taken from the Verizon annual threat report.
The website is largely a marketing site, but it does have quite a bit of information to help potential customers, including an online store where purchases can be made. Docs are good and basic support is included with the licence.