Rsam GRC v8
Strengths: Strong assessment and workflow tool set; strong data import abilities; universal risk taxonomy
Weaknesses: Nothing to note
Verdict: Enterprise risk management approach is solid and it consolidates, prioritises and visualises risk in an on-going model
Rsam GRC v8 is a platform for risk management and security risk intelligence enabling organisations to perform risk assessments and to manage compliance, threats, vulnerabilities, policies, remediation activities, issues, incidents and more. It differentiates itself from traditional GRC platforms by focusing more on proactive enterprise risk management.
The tool is offered either as an in-the-cloud SaaS offering or as customer on-premise software. It runs on Windows Server 2003/2008 with SQL database backend, IIS and .NET Framework. One can deploy it on virtual machines, shared environments, clustered environments or standalone servers.
The modules that are part of the suite include: risk, compliance, remediation, threats/vulnerabilities, audit, incident management, policy and vendor risk. These are all rolled into the risk analytics engine. Modules are licensed separately. There is a brand new user interface in this version - clean and easy to follow - with tabs across the top for the various modules and navigation panes below.
Rsam GRC provides a fully automated policy management lifecycle and policy structures support unlimited hierarchical levels. Policies can be authored directly in Rsam or imported from Word, Excel, databases or web API calls and can be linked to Rsam's robust content library, encompassing 10,000-plus, road-tested controls, which are carefully cross-mapped across compliance/industry standards. Form-driven menus drive users through the assessment-creation process and one has an automated workflow to move, measure and manage the assessment through the process. The data gathering and bulk management of the information is impressive.
The risk analytics module creates dynamic rules that maximise management of policies, risks and findings. Customers can define their own custom risk-driven rule sets. The output of the assessments, threat and vulnerability imports generate findings. Users also have a built-in workflow to create tasks for remediation and manage exceptions.
Getting data into Rsam has been enhanced in this release. The universal connector is data-source agnostic and allows customers to integrate data from other existing tools without waiting for Rsam to establish a formal relationship with that third party product. The universal connector integrates with just about any other tool, either via direct API calls, database queries, file exchanges or simple SMTP messaging.
Rsam GRC is based on an object structure that allows users to view and organise data around assets and relationships. Further, there is an analytics engine that processes and drives conclusions via the risk data through dynamic rule sets. Users have custom actions/workflow, which trigger automated actions based on events or schedules.
A range of out-of-the-box risk management reports, plus a tool for creating custom dashboards are included. Also new are capabilities for universal and metrics search that allow for the scheduling of a function to be run and posted to a dashboard.
The built-in documentation and help function is done well. Training, a knowledgebase and help guides have all been updated. Rsam annual support and maintenance comes in at 20 per cent of software licence fees. Assistance includes updates/upgrades to Rsam software and content templates.