Allgress Insight Risk manager
Strengths: Ease of use is the most obvious strength. However, the ability to craft just the GRC system that you need by selecting applicable modules is a very strong recommender as well. This feature allows you to build out a full system over time starting with a minimal deployment.
Weaknesses: We would have liked to see a bit more attention paid to the formatting of the manual before it was sent to production.
Verdict: As a traditional GRC, this one demands your attention for its price vs. performance and flexibility. As you add modules the price will climb, of course, but the basic starting point is very reasonable.
The Allgress Insight Risk Manager actually is a suite of modules that allows organizations of all sizes to automate continuous monitoring and management of their entire business risk management processes. It provides audit, assessment, compliance, security management, risk management and 3rd party vendor management. The platform can be implemented as an on-premise, cloud or hybrid of both. Users can implement one or all the modules depending on their requirements.
This tool has one of the simplest user interfaces we've seen. It breaks tasks down into seven groups, each with its own menu: survey, assessment, vulnerability, risk analysis, risk register, incident, and policy. Surveys are simple to produce. This is not a next-generation tool in that it does not do auto-discovery. It does integrate nicely with a variety of third-party products and for asset inventory, it pulls in data from a third-party vulnerability assessment tool.
Once you have selected a task menu, you can drill down to a set of subtasks. The menus are very graphical, using clear icons to designate their purposes. However, once you start drilling down you get away from the icon-based UI and into traditional screens as appropriate to the task you are performing. Workflows are logical and easy to follow.
The policy task has many pre-made mappings but you can add your own mappings easily. This means that you can map two standards against each other so that tasks or controls performed and completed under one of the standards will be reflected in the other.
Assessment is very straightforward and results are clear with remediation as part of the workflow. You can export tickets to a third-party tool of the product has its own ticketing if you prefer. There is a very good risk analysis workflow with displays that allow you to see where your risks lie to ease remediation priority determination. All of this is reflected in the risk register which, simply, is the total picture of risks across the enterprise.
One of the strengths of the product is the incident module. Managing an incident ties all the results back into the rest of the tool, provides investigation documentation, remediation paths and summary charts to show status, before, during and after the incident.
Another strength is the coverage wheel. This is a multi-level pie chart, set up for each standard that you are following. The standard is broken down into its component parts which, in turn, are broken down into sub-parts. Drilling down gives you increasing levels of detail, down to the level where you see the individual controls for a section of the standard.
This is another one of those products that is so reasonably priced that a second look almost is demanded. That said, as a percentage of the price the support can get a bit high. The product is available as a cloud service and if you take that route - annual subscription - support is included. If you opt for a perpetual license it goes up to 20% per year for 8X5 coverage and 30% for 24X7. While we normally would object to these upcharges, the cost of the product so low that they really don't have a significant impact and the product, if you are looking for a traditional GRC tool, is still a very good value. Note, of course, that the price will increase as you add modules so the bargain gets a bit less with growth.
We found the web customer portal complete and easy to use. Documentation was very simple and, except for some formatting errors that don't belong in a professional manual, was what we expected.