Modulo Risk Manager v8.1
Strengths: Graphical risk maps; new mobile support; analytics ability; integration
Weaknesses: Nothing to note
Verdict: Strong all around; from risk process, usability, level of integration, reporting and delivery of the content in a usable format
Modulo Risk Manager is a single, fully integrated platform for organisations to automate and unify their IT GRC processes. Based on an intuitive and flexible workflow, it enables organisations to identify, analyse, evaluate and treat risks across the enterprise. It adds business relevance to operational data for risk-based analytics and decision making by mapping IT and non-IT assets to business processes.
It is offered as both a hosted SaaS or an on-premise software deployment. The on-premise offering has two licensing models: perpetual (the user buys it) or subscription (user's hardware, licence rented). The on-premise solution requires MS Server 2008 R2 64-bit, .NET Framework 3.5 and MS SQL Server R2 Standard Edition 64-bit. The web server has similar Windows requirements, and further needs .Net 4.0 and a valid SSL digital certificate.
The solution manages risk, policy and compliance with multiple regulations, internal policies and standards. The MetaFramework is aligned with ISO 31000 and delivers a substantial knowledgebase to reference. It includes the five core domain modules: management of risk, compliance, policy, workflow and knowledge. The demo we were provided with also included modules supporting management of vulnerabilities and threats, vendor risk and business continuity. It is important to note that these modules are optional and can drive up the cost of the overall solution.
Modulo Risk Manager has vast support for integrating data from many directory, network, security, vulnerability and asset management systems. Enhanced in this version is an innovative, open way to automate the collection of information from third-party devices through its open source GRC collectors, dubbed modSIC, for Modulo Open Distributed SCAP (security content automation protocol) Infrastructure Collector. This provides a common platform for developing a service to collect and analyse technology assets based on the open SCAP standard. Data can be collected based on a custom model or by using a public knowledgebase through OVAL.
There are several new features in v8.1, the most notable of which is an automated workflow component. The tool moves tasks through the entire risk process and there are options for incident management with a strong tree mapping-style report. The vendor risk and business continuity management functions are new. This module provides an efficient integration capability to easily link one's risk to the business continuity plan for the organisation, including operational, financial and regulatory. With a new social integration capability one can also collect social data and measure image impact.
Reporting and visual representation of the information is strong. Tools, such as tree maps and geo mapping, have been enhanced. Plus, there are effective 'what if' tools available. New to this version are a Big Data management feature and the delivery of more predictive analytics. However, the real strength is the correlation and visualisation of the massive amount of collected data into a manageable and usable format.
Eight-hours-a-day/five-days-a-week standard support is included for the first year. There are premium support options available for a 20 per cent fee for both the SaaS and software versions.