LockPath Keylight v3.0
Strengths: Great visualisation; links risk to elements
Weaknesses: Delivers a lot, but at a high price
Verdict: Has what is needed to manage risk and compliance
LockPath Keylight is a family of applications that includes management of compliance, threats, risks, vendors, incidents and business continuity. It is centrally managed and has a single sign-on system with configurable permissions that allow multiple users to manage different aspects of the system.
The tool is delivered either as a cloud-based SaaS or an on-premise solution. The SaaS model simply requires a modern browser and internet access. The on-premise offering is built on the Microsoft platform, using .Net and C# with SQL as the backend database. We were told that a typical deployment could be installed and configured for use in 30 days.
Keylight's Risk Manager provides a comprehensive set of tools to identify, assess and prioritise the most relevant risks for an organisation. Risks are captured from multiple sources, including user entry, compliance, policy and risk assessments, and integration to network and security devices. There is a substantial list of built-in connectors for plugging into network and security products.
The Threat Manager provides vulnerability remediation and has the ability to integrate with several vulnerability scanners, including products from Qualys, Nessus and Rapid7. Once risks are captured, Keylight includes a configurable workflow engine that can move risks between individuals and groups. This is configured through a menu-driven wizard and requires no custom code. The same workflow tool is integrated through the entire product suite.
The Dynamic Content Framework allows users to customise all the risk elements and to even create custom risk types. Users also have the ability to cross-relate objects from all applications, such as policy to a risk, or a risk to a business continuity plan.
The offering has a questionnaire-driven compliance module. These templates are easy to create and customise right down to custom scoring with the ability to flag questions and route them through additional workflow steps, such as a mandated review process. LockPath Keylight also includes a full policy management suite, which offers the ability to import or build policies, move policies through a configurable workflow process and relate policies to regulations within a content library. Another module, Incident Management, is also fully integrated and uses the same email-driven workflow described above.
We were not provided with a lot of detail on the Business Continuity Manager, but wanted to mention that it offers the ability to generate, test and report on business continuity planning (BCP) readiness. There is also a Vendor Management module for extending assessments to vendor partners.
The reporting capabilities are strong. All the reports are created through a simple, drag-and-drop interface and everything is available to report on: risk objects, policy exceptions, tying of a risk to a policy exception, etc. One can view data in user-configurable dashboards, heat maps or detailed drill-down reports. The heat map view is one of the better visuals we saw in this group test.
Support is included in the licence price. There is only one option: eight-hours-a-day/five-days-a-week, with assistance available via phone, web or email. Documentation is built into the product as online help, which is well done.