Acuity STREAM Integrated Risk Manager v3.1
Strengths: Ease of use, configurability, price performance.
Weaknesses: More of a note than a weakness: asset and user management is a manual process.
Verdict: Great tool for business intelligence/enterprise risk management and reporting.
STREAM Integrated Risk Manager v3.1 from Acuity Risk Management is a risk-driven, compliance-monitoring and reporting solution that can log, track, remediate and report against multiple standards. STREAM is a comprehensive, configurable, yet simple-to-use software product which automates the complex processes involved in managing compliance with standards while delivering effective risk management. The tool integrates compliance with risk management in a business context. It achieves this through an innovative yet simple and logical approach that is easily understood and explained.
STREAM can be configured and used to meet the requirements of ISO 27001 for an information security management system (ISMS). It provides the entire ISMS framework for ISO 27001, including asset identification and business modeling, risk and compliance assessment and residual risk measurement against appetite, risk treatment and improvement planning and trending.
The solution provides preconfigured content for popular standards, such as ISO 27001 and PCI-DSS, and also provides a content builder utility which allows users to bulk upload their own content. Content can be purchased on an as-needed basis. STREAM will correlate in a common control model across multiple areas.
STREAM is an assessment-driven tool that is designed to tie enterprise risk to business impact. One begins by importing assets from third-party systems or manually creating them in STREAM. Information can be input manually by users and by automated update from third-party systems. Manual information might include control self-assessments or independent audits, risk assessments - including the value and sensitivity of information assets and estimated likelihood of threat occurrence.
The assessments are executed through an email-driven workflow. Once users have data back, they can proceed through the remediation workflow that includes events, where one records information on incidents. Users also have an actions section, which is the risk treatment plan. The reports section was well done. Reporting is a 3D-graphics view with drill-down capabilities.
Multiple deployment options are available, including on-premises, traditional client-server, virtualized client server, virtualized web-enabled mobile solution and SaaS-based hosted cloud service. There are three basic components in a STREAM enterprise deployment: database server, application server and the client component installed on each STREAM user workstation. STREAM multi-user installations require a SQL Server 2005/2008/2012 Database Server and a Windows application server. We were told that deployments are easy and clients are up and running quickly. There is also a lot of video-based training that comes bundled with the product.
All annual licenses are provided with eight-hours-a-day/five-days-a-week support and includes help desk, error correction and entitlement to free software upgrades with data migration between versions. The annual assistance fee is calculated at 20 percent of the perpetual license fee.