Strengths: Awareness tools and testing. BCP inclusion
Weaknesses: Cost. Truly assessment driven tool for measuring risk
Verdict: Great tool for developing an enterprise GRC plan and risk management solution
Lightwave Security's SecureAware is a risk and compliance management and reporting platform supporting industry-standard frameworks such as ISO 2700x, PCI DSS and CobiT 4.1. It includes four modules: policy and awareness management; compliance workflow and management; risk management, used for the set-up and launch of risk assessments; and business continuity planning.
A menu driven web interface walks you through setting up risk assessments by defining systems, processes and the process system relation. Business impact, vulnerabilities and threats are all documented through the use of questionnaire-based assessments, reporting on vulnerabilities at the network asset and process level and managing the workflow associated with the remediation of risks.
Risk assessments are derived from the enterprise security policy and are customisable to the standard to which the enterprise is aligned. Regardless of the standard you map to, the risk assessment methodology complies with ISO 27001/27002 standards. The workflow engine integrated with AD and LDAP natively to facilitate the tracking of tasks, questionnaires and documentation. Email alerting and notification is also included.
SecureAware includes the ability to report an enterprise risk profile on a continuous basis through its dashboard and report writing capabilities. A browser-based graphical presentation of risk data, assessments and analysis and business impact is included. There is a lot of content provided to easily create and customise the assessment questionnaires. A good feature is the ability to drive awareness through not only a document management process but also through a testing module to assess if the documents are actually being read.
It is sold as a software solution and deployed on either a Windows or Linux server, with a very light and simple implementation. Phone and email support on an 8/5 basis is included for the first year and provided for a fee after that.
This solution focuses on the business risk side of the equation. It provides decent tools for creating the policies and measuring and mapping risk to those policies and industry standards. From a policy/risk management aspect, this is a good tool. We liked that it also included business continuity planning in the risk management process.