Aruvio GRC v2.2
Strengths: Easy to deploy
Weaknesses: Built on Salesforce.com, the platform will be highly dependent on changes. Per-user licence model can be costly to scale to larger organisations
Verdict: Brings GRC capabilities to the mid-sized organisation in a model that is easy to use and deploy. Pricing is still within the range of enterprise products if access for several users is needed
Aruvio GRC is a complete set of governance, risk and compliance (GRC) applications, including controls, compliance, vendor risk, enterprise risk, incident management and policy and training. These are geared toward mid-sized organisations, as they are designed to be simple to deploy and priced to be attractive for smaller user counts.
It is available as a cloud-based SaaS offering only and is built on top of Salesforce.com technology. As a fully hosted offering, the system is typically deployed in under one week. A web browser can be used to access this product, making it accessible via any device running a web browser, including mobile devices.
Aruvio is an audit-driven solution with modules available to test compliance, preliminary risk and risk assessment and it includes a tool to quickly develop audits and workflows. Being web-based, it uses email notification to users as a workflow engine for all audit and alerting functions. Role-based authentication controls display who has access to what features. Aruvio integrates regulatory compliance documents and consolidates inputs. Users can upload company-specific policy, standard documents or use the pre-loaded common control framework that comes from integrating to the Unified Compliance Framework (UCF). The seamless integration between frameworks and internal standards helps avoid redundant control testing with 'test once, report many'.
Assets and vulnerabilities can be imported from various configuration management databases and vulnerability scanners using an easy-to-use data loader interface. Once loaded, users can perform risk assessment of identified vulnerabilities and threats by assets. There is an asset creation wizard but from what we saw, asset creation looked to be manual, which can be a pro and a con. It is easy to roll up assets to systems, but there will be some setup time to fully create and organise necessary assets.
A policy module is included with the product. One creates policies outside of the tool and uploads them as PDF files. Further, there is a useful feature that allows one to create the training on the policy and track that adherence, as well as a read-and-accept audit-tracking feature. Users can deploy the data from the policy tool to map policies to controls and then measure and report on compliance under one's risk assessment.
A vendor risk module allows administrators to set up white-labelled and branded portals to deliver and track vendor assessments for inclusion in the risk reporting. It appeared to be more of a manual process to get all the data in, but there are data imports that are easy to use. Once information is uploaded, the wizards do make it quick and easy to use and manage that information.
Reporting and dashboard capabilities are well done. Users have numerous reports and views out of the box and one can customise any of these as desired. The dashboards are easy to use and it is simple and quick to get to the detailed data. One can look at a risk profile as a whole or quickly click to a view of risk by any regulatory type, such as quickly see a risk profile for just PCI DSS.
Support is included in the yearly subscription fee and includes 24/7 phone and email access, but there is not a web-based support option.