Lumension Risk Manager v4.4
Strengths: Interface provides a great user experience; out-of-the-box controls and the ability to overlap them to multiple mappings
Weaknesses: Pricing per node and additional fees for UCF content can make this expensive for a larger enterprise
Verdict: Good survey-/assessment-driven compliance and business risk tool
Lumension Risk Manager (LRM) is a compliance and risk management solution that provides a framework for streamlining compliance management and assessing business risk. It provides visibility into compliance and risk through four capabilities: risk profiling, controls framework, controls assessment and risk/compliance reporting.
It is delivered as on-premise software running on one's hardware. It is a Java-based web application running on a Microsoft Windows Server that can be viewed on any MS Windows-compliant device. LRM deploys on Windows 2005-2008 and SQL Server 2005 through 2008 R2.
LRM is geared to providing end-to-end visibility of all control activities needed to ensure protection of information. It harmonises common controls from more than 450 regulatory standards into a single set of controls, thus easing the burden and duplication inherent in manual compliance management practices. In short, it can assess a single control once and apply it to any standard or regulatory requirement. The tool's Risk Intelligence Engine allows it to easily correlate an organisation's policy against regulatory standards while measuring the business risk of vulnerabilities in an IT environment.
Its risk profiling offers modelling of the risk between IT assets and the business interest. Assets can be brought into the system with its Connector Development Kit. There are a few prebuilt connectors, SIEMs, vulnerability scanners and patch management solutions. There is also a published application programming interface (API) for bringing in asset data and other security data. Framework controls capture control requirements mandated for the proper level of risk mitigation. This effort maps controls to satisfy compliance requirements.
The Assessment controls function assesses the technical, physical and procedural controls to provide a single view and measure of compliance. Risk and Compliance Reporting delivers a metrics-driven set of reports supporting executive decision-making all the way down to detailed reports for external auditors. The reporting and dashboards make it easy to show a risk picture to any level of user - from executive to analyst.
The survey process drives the business risk assessment and covers areas such as vulnerabilities, environmental/natural risks, loss or theft risk, and regulatory failure. LRM uses analytics to assist in the review of risk. Administrators can employ the heuristics engine to effectively analyse control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects. Patterns in scoring information can be quickly identified so that high-value remediation efforts can be prioritised.
To assist in managing the raw amount of data associated with each of these, LRM analyses the data and puts it into a category of meaningful, neutral or less meaningful. Each of these can be assigned a custom risk value that rolls up into the final risk calculation.
Lumension provides both standard and premium support options as part of its subscription cost of the software, which include phone-based technical aid, email assistance with one-day response and access to the Lumension online customer portal and knowledgebase.