Modulo Risk Manager
Strengths: A traditional GRC application with a couple of twists. It is risk-focused and well-connected to outside data sources, such as vulnerability assessment tools. Probably the most flexible system we’ve seen.
Weaknesses: None that we observed.
Verdict: This one’s a keeper. Long experience, a lot of functionality plus flexibility and a reasonable price make Modulo Risk Manager a good traditional GRC application. For the traditional approach, we make this our Recommended product.
This is a traditional approach to GRC with the added benefit of being able to consume vulnerability data from third-party scanners, such as Qualys and Rapid 7. This is a large package and has a lot of capabilities. It can automate risk, compliance, policy, business continuity and incident management. In addition, it provides audit, cyber-security and workflow management. Risk Manager is available as an SaaS application or on-premise software for local deployment. While there is a definite bias toward technology risk, this is a full-featured system.
Plus, it is a fully customisable tool. Administrators can add tabs, fields and dashboards. Ten dashboards are available out of the box. There are more than 100 new APIs as well. We dropped into the Assets Risk Intelligence dashboard, a custom dashboard that shows type and geolocation of assets. From there we moved to the vulnerability dashboard and found vulnerabilities by asset along with geolocation of the assets. Next we moved to the main work surface, which contains the menus and drop-downs for the rest of the application.
We began by taking a closer look at the assets. These can be populated by input from a scanner, manually or from data. The assets are coupled to their vulnerabilities as discovered, in this case by Qualys. Next we moved into the risk area and saw the risk assessment tools, including such things as questionnaires and automated collectors. The interview piece is typical of traditional GRC tools and once the questionnaire is ready it can be put into the workflow. Control IDs are mapped to controls, assets and the asset's knowledge base record. By running a simulation of risk evaluation statistics, one can see the impact of certain controls on the overall risk picture.
Workflow management may be one of the strongest features of this tool. Everything can be managed under the workflow. Policies can be written and deployed, audits conducted, remediation scheduled and vulnerability assessments and questionnaire distribution all are easy to automate. Policy builder is just part of the flexibility here. For example, if one needs a special application to perform a custom type of assessment it can be built easily using the App Builder feature.
Additionally, users can bring in external applications. For example, we saw the application of a binary risk assessment of a particular type of attack. There is a process for building and disseminating business continuity plans as well. In short, if we were to be forced to describe the Modulo Risk Manager in a single word it would be "flexible." The tool fits - or can be customised to fit - just about any GRC challenge in just about any size organisation.
Since the last time we looked at this tool there have been significant performance improvements. This has become very important as the amount and types of data increase rapidly to become a Big Data challenge. The consumption of a variety of data types is part of today's GRC environment and GTC tools are drinking from a data fire hose. Performance is very important and we were impressed by this application's performance.
Of course, all recognised standards and regulatory requirements are part of the tool but users can add their own if necessary. And the tool can specifically address third-party risk. Price is reasonable and, for what it does, quite favorable to some smaller organisations.
Free support is offered for the first year and there are fee-based options for premium support packages. The support portal even has a running blog that addresses changes and other support issues. The company has an excellent training programme as well.