Acuity STREAM Integrated Risk Manager
Strengths: Good GRC product with more than expected automation and very good configurability. Integration with third-party tools is very good and reporting and customization are quite good as well.
Weaknesses: Support appears to be only available by email although the vendor provides a three-hour turnaround for standard support and one-hour turnaround for priority support. The website is not, it also appears, complete in that we could not find a support portal. It does allow us to send a support message which, presumably will be picked up in the advertised time frames.
Verdict: This is a capable tool and meets its objectives well.
This is a traditional GRC-style risk management tool with a few really nice features added to improve efficiency through automation. STREAM includes pre-configured content for popular standards, such as ISO 27001, NIST, PCI-DSS and GDPR along with a Content Builder utility which allows the addition of custom content.
In this type of product, the things that really matter are the ability to deploy and customize rapidly, ease of extracting useful data about risks, the ease with which one can map controls to risks and assess their effectiveness and the ability to keep the risk register current along with compliance reports that are meaningful on several levels (e.g., audit, remediation, etc.). STREAM has all of that and is suitably automated to allow efficiency and up-the-minute accuracy.
Everything in STREAM is related to the individual user. That means that you can set up your own dashboards that provide information on your projects and deadlines. Drill-down from the dashboards is very good as is the level of detail available. For example, drilling down to a specific asset reveals its compliance with your selected standards. Theses risk pages are exceptionally detailed, and everything is configurable. Connectors to major vulnerability scanning tools are included and results can be imported directly into STREAM and automatically linked to assets. This automatically raises actions on the discovered vulnerabilities which can be communicated to third-party ticketing.
There are multiple control frameworks and the analysts select the ones he or she need. Likewise, users can create their own framework based on the organization's internal policies. Look and feel across various sections (e.g., risk, controls, etc) is very similar so the learning curve is not steep. A well-designed workflow provides alerting users to perform their assigned tasks.
Reporting is comprehensive and in addition to the large number of reports supplied out of the box, users can create their own, simply and quickly. The custom report generator is very simple. The user picks a report type - e.g., risk - and clicks on the fields he or she wants and the tool does the rest. The database is snapshotted automatically monthly or more frequently if a user chooses. This allows trending.
In addition to the expected risk management tools, STREAM also supports incident management. Incidents and near misses can be examined in detail. This function uses the same general page format as in other sections so it is easy on users. The tool imports data from vulnerability scanning tools, key control metrics, incident data and threat intelligence. Discovery is derived from third-party scanning tools. All risk assessments/acceptances and control assessments/approvals are logged and date-stamped, whether from manual or automated update providing a history of compliance and risk status.
The website is mostly marketing and support is by email. All annual licenses are provided with standard annual support subscriptions included. If you are not on an annual subscription support will cost you 20% per year, which we think is excessive for standard support. There also is a priority level for an additional fee. Documentation is about what we expected and certainly covered the bases well. There is a free, community edition which is well worth looking at before you make a buying decision.