Rsam GRC Platform is a venerable product that, arguably, helped define GRC long before we called it GRC. Rsam is undeniably a traditional GRC product but with a few nice twists. Of course, like all competent GRC systems, Rsam can consume data from vulnerability scanners and other sources directly. But unlike a technology-driven tool, data goes directly into the overall mix with lots of other data sources. This can be a very big system if that's what is needed or it can be compact to fit a smaller organization. Because it's a platform-based tool, all one needs to do is select the modules wanted and snap them onto the platform.
We have been watching Rsam for some time and one of the things that always has impressed us is the clean way it presents complex information. Everything in Rsam is an object. Users can add or import objects directly from a source or can add them manually. When we entered the Rsam system we dropped onto a welcome page that presented choices. These are in the form of graphics which can be customized on the landing page for branding purposes.
We drilled down on a home page from which we could select an object. The list included Assessments, Audit Universes, Business Units, Infrastructure Hosts, Rsam Libraries and Rsam Users. We selected Assessments and were presented with all of the assessments - 20 in this case - in the tool. We could further drill down on any assessment to see more details.
Assessments often are done through questionnaires. These can be created in Rsam with dynamic questions. The questionnaires are distributed based on a predefined workflow and the respondent completes the questionnaire and returns it. The results go into Rsam's database and become part of the audit process.
Threats and vulnerabilities can be analyzed in the context of the various organizational assets in the database. Status of audit projects, vulnerabilities, risks and what Rsam calls indicators can be checked ad hoc, or a periodic report can be created easily and distributed on a schedule. Indicators are created easily and they can be at the core of a report. For example, we saw an indicator called "Vans open > 60 days." That indicator was set to measure monthly and it can be assigned to a corporate objective, such as "Financial growth: to increase revenues by 10 percent annually."
We were especially impressed by the granularity and quality of the drill-down in Rsam. There also are some advanced analytics, such as Monte Carlo simulations. Policy management is excellent and very straightforward. Overall, this is a fine example of a traditional GRC application with the twist of being able to consume data from vulnerability management tools and various devices in the enterprise. We also liked the reporting. In fact, it is among the best we've seen anywhere.
The website is clean and easy to navigate with a fair bit of information. Support is offered only on a subscription basis with no free assistance offered. Also, aid is only available during the work week - 5/12 regular support and 5/24 for premium. At a rate of 20 percent of license fees for standard support, we believe that the availability should be a bit more. However, there is both phone and email aid so if it is not a crisis perhaps an email from the Saturday crew working overtime would suffice.