LockPath Keylight Platform
Strengths: Very comprehensive GRC platform that covers just about all bases.
Weaknesses: Can get pricey if you include all applications.
Verdict: Solid, hard-core GRC.
The Keylight Platform is a cloud (SaaS)-based, on-premises or hybrid governance, risk and compliance (GRC) platform used for compliance and policy management, operational risk management, IT risk management, vendor risk management, business continuity management, and audit management. Keylight is built using a patented technology: The Dynamic Content Framework (DCF). DCF allows users to configure solutions without custom code, automatically integrate data, power workflow and dynamic assessments, and provide users with GRC-specific reporting to ensure scalability and security. The Keylight Platform comprises seven purpose-built applications - Audit Manager, Business Continuity Manager, Compliance Manager, Incident Manager, Risk Manager, Security Manager and Vendor Manager - that manage different types of risk and compliance. Each application interfaces through the Keylight Platform and leverages the DCF features to address different challenges.
The product consumes data from across the enterprise and from first-hand and third-party sources, including enterprise and IT applications, such as policy compliance scanners, ERP systems, vulnerability scanners, web application scanners and contract management systems. Keylight also consumes and manages authoritative content, including laws, regulations, standards and contracts.
As one might expect, the system can become complex if not really complicated. The user interface keeps the complications to a minimum, but still, there is a lot for the tool to do with its seven modules. Compliance depends on authoritative sources to define the regulatory requirements and LockPath manages based on addressing internal controls. For each internal control the tool determines risk by applying an analysis cycle of defining, measuring, analysing and improving the internal response to the control requirements.
The controls are derived from citations in authority documents - laws, standards, regulations and contracts - and compliance documents - policies, standards, guidelines and procedures. The key to user interpretation of KeyLight's functionality is a collection of dashboards. These can be created by users to represent those aspects of the organisation's GRC that are important to the particular user. These dashboards can pull data from within KeyLight or from external sources.
Users can stick to the guidance provided or, if necessary, they can create their own. If you apply a control in a particular assessment, for example HIPAA, the results will be applied automatically to any other assessment where the control may apply, e.g., PCI. Additionally, the tool has an awareness of events. This forces the user to read and accept the applicable policy if an event occurs that collides with a policy in order to accept or reject the risk.
There is a solid workflow engine and workflows are easy to set up and manage. This leads to an offering that LockPath calls the "value chain." As you go through the workflow, you find the presence of a risk that needs to be mitigated, remediated or accepted. The first question is: how will this risk impact my overall risk? The value chain allows you to identify where the risk resides relative to the rest of the system being measured.
The product is nearly infinitely configurable. This allows analysts to take just about any approach to GRC and develop a customised configuration to support requirements.
One of the most important emerging areas of risk management is vendor or third-party risk management. This was brought home drastically in the Target breach. LockPath provides a solid third-party risk management module. It allows different assessment types of low and high-risk vendors as well as fourth-party vendors.
Finally, the Security Manager pulls in data from third-party scanners and initial triage correlating vulnerabilities with weighted assets.
This is an easy-to-use tool but the support is excellent in case you have difficulties during setup and configuration. LockPath sends a deployment team to new customers to do a quick-tart training and final configuration at no extra fee. One nice feature is the whistleblower portal that is hosted independently but feeds KeyLight.
The website is excellent with everything you need to make a buying decision and then get you started after you take delivery. Support is included.