Rsam GRC Platform
Strengths: One of the most complete traditional GRC applications on the market. Clear, clean pages, excellent drill-down and the ability to craft the combination of services that one needs by selecting modules that snap into the platform is a big plus as well. Performance is remarkable – we retrieved 1.2 million records in about three seconds.
Weaknesses: Not many. This is a mature, well-thought-out product. However, we think that the support package is a bit shy of perfect.
Verdict: If you want a traditional GRC package that has stood the test of time with a great many users, have a close look at this one.
Rsam GRC Platform is a venerable product that, arguably, helped define GRC long before we called it GRC. Rsam is undeniably a traditional GRC product but with a few nice twists. Of course, like all competent GRC systems, Rsam can consume data from vulnerability scanners and other sources directly. But unlike a technology-driven tool, data goes directly into the overall mix with lots of other data sources. This can be a very big system if that's what is needed or it can be compact to fit a smaller organisation. Because it's a platform-based tool, all one needs to do is select the modules wanted and snap them onto the platform.
We have been watching Rsam for some time and one of the things that always has impressed us is the clean way it presents complex information. Everything in Rsam is an object. Users can add or import objects directly from a source or can add them manually. When we entered the Rsam system we dropped onto a welcome page that presented choices. These are in the form of graphics, which can be customised on the landing page for branding purposes.
We drilled down on a home page from which we could select an object. The list included Assessments, Audit Universes, Business Units, Infrastructure Hosts, Rsam Libraries and Rsam Users. We selected Assessments and were presented with all of the assessments - 20 in this case - in the tool. We could further drill down on any assessment to see more details.
Assessments often are done through questionnaires. These can be created in Rsam with dynamic questions. The questionnaires are distributed based on a predefined workflow and the respondent completes the questionnaire and returns it. The results go into Rsam's database and become part of the audit process.
Threats and vulnerabilities can be analysed in the context of the various organisational assets in the database. Status of audit projects, vulnerabilities, risks and what Rsam calls indicators can be checked ad hoc, or a periodic report can be created easily and distributed on a schedule. Indicators are created easily and they can be at the core of a report. For example, we saw an indicator called "Vans open > 60 days." That indicator was set to measure monthly and it can be assigned to a corporate objective, such as "Financial growth: to increase revenues by 10 percent annually."
We were especially impressed by the granularity and quality of the drill-down in Rsam. There also are some advanced analytics, such as Monte Carlo simulations. Policy management is excellent and very straightforward. Overall, this is a fine example of a traditional GRC application with the twist of being able to consume data from vulnerability management tools and various devices in the enterprise. We also liked the reporting. In fact, it is among the best we've seen anywhere.
The website is clean and easy to navigate with a fair bit of information. Support is offered only on a subscription basis with no free assistance offered. Also, aid is only available during the work week - 5/12 regular support and 5/24 for premium. At a rate of 20 percent of license fees for standard support, we believe that the availability should be a bit more. However, there is both phone and email aid so if it is not a crisis perhaps an email from the Saturday crew working overtime would suffice.