Aruvio GRC v2.2
Strengths: Easy to deploy.
Weaknesses: Built on Salesforce.com, the platform will be highly dependent on changes to that platform. Per-user license model can be costly to scale to larger organizations.
Verdict: Brings GRC capabilities to the mid-sized organization in a model that is easy to use and deploy. Pricing is still within the ballpark of enterprise products if access for several users is needed.
The Aruvio GRC suite is a complete set of governance, risk, and compliance (GRC) applications, including controls, compliance, vendor risk, enterprise risk, incident management, and policy and training. The solutions are geared toward mid-sized organizations, as they are designed to be simple to deploy and priced to be attractive for smaller user counts.
The product is available as a cloud-based SaaS offering only, and is built on top of Salesforce.com technology. As a fully hosted offering, the system is typically deployed in under one week. Since it's offered as software-as-a-services (SaaS), a web browser can be used to access the product. Therefore, it is accessible via any device running a web browser, including mobile devices, such as iPads and iPhones.
Aruvio is an audit-driven solution with modules available to test compliance, preliminary risk and risk assessment. There is a tool to quickly develop audits and workflows. All web-based, it uses email notification to users as a workflow engine for all audit and alerting functions. Role-based authentication controls display who has access to what features. Aruvio integrates regulatory compliance documents and consolidates inputs. Users can upload company-specific policy, standard documents or use the pre-loaded common control framework that comes from integrating to the Unified Compliance Framework (UCF). The seamless integration between frameworks and internal standards helps avoid redundant control testing with "test once, report many."
Assets and vulnerabilities can be imported from various configuration management databases (CMDB) and vulnerability scanners using an easy-to-use data loader interface. Once loaded, users can perform risk assessment of identified vulnerabilities and threats by assets. There is an asset wizard to create assets as well. From what we saw, asset creation looked to be manual. This can be a pro and con: The positive being it is easy to roll up assets to "systems," and the negative being there will be some setup time.
There is a policy module as well. One creates policies outside of the tool and upload them as PDF files. Further, there is a useful feature that allows one to create the training on the policy and track that adherence, as well as a read-and-accept audit-tracking feature. Users can deploy the data from the policy tool to map policies to controls, and then measure and report on compliance under one's risk assessment. Also, there is a vendor risk module that allows admins to set up white-labeled and branded portals to deliver and track vendor assessments for inclusion in one's risk reporting. It appeared to be more of a manual process to get all the data in, but that said, there are data imports that are easy to use.
Reporting and dashboard capabilities are well done. Users have numerous reports and views out of the box and one can customize any of these as desired. The dashboards are easy to use and it is simple and quick to get to the detailed data. One can look at a risk profile as a whole or quickly click to a view of risk by any regulatory type - i.e., quickly see a risk profile for just PCI DSS.
Support is included in the yearly subscription fee and includes 24/7 phone and email access. There is not a web-based support option. - ML