TrustedAgent GRC describes itself as a "boutique solution for the highly-regulated commercial enterprises and federal government organizations." It is risk-focused and decidedly a traditional GRC approach. According to the vendor there are a lot of improvements in the current release and we liked what we saw. Functionality of particular interest includes continuous diagnostics and mitigation and maturity levels. It can consume vulnerability data from popular scanners such as Nessus and Nmap. The tool is highly automated and analyses can be automated to address unique requirements.
Automation requires workflows and TrustedAgent has very good workflow capability. A unique approach to identifying vulnerabilities rapidly is the vulnerability fingerprint. Vulnerabilities are fingerprinted and the fingerprint is used to identify the vulnerability should it appear elsewhere in the assessment or in a different assessment. This speeds up the analysis time.
The tool is installed in virtual environments running on two physically segregated machines, one containing the web/application server and the other SQL Server. Admins can enter the system in a variety of ways. We chose to start at the inventory tab. This gave us plenty of choices, including managing the inventories and a list of tasks assigned to the logged in user. From there we could drill down to a variety of screens, each giving us more detail about the item at which we started.
From there we progressed to a set of status charts including authorization and assessment status. On this page we found a trendline chart for expired authorizations by industry. Trendlines are useful and this one told us that on average authorizations expired in about 90 days. As one would expect, TrustedAgent has a robust asset management capability. The assets display allows drill-down to get to a lot of detail about each asset. For example, we could filter the page to focus on the vulnerabilities of each asset.
The regulatory compliance graph was shown along with another trendline that detailed controls not started. The controls views are taken against a particular standard, in our case Cobit. Incidents can be tracked with a lot of detail, including such things as status, type and breaches. These are tied to applicable controls and directed automatically to the appropriate person for handling the incident.
Of course the usual audit findings are included with such charts as findings by risk level, risk area and asset type, as well as the ubiquitous trendline chart on open findings trends. There is a lot of automation in this tool. For example, we went through a detailed analysis to the assets in the Amazon Web Services private cloud for our test organization. Everything we needed to know about assets, vulnerabilities, risks and audit was readily available and we were able to set a workflow to keep the data updated and available to the appropriate people.
We went through an exercise that showed the extent of the tool's remediation capability. It consisted of setting a standard for a password on an asset, testing it, removing the password and testing again. This resulted, of course, in a finding that the policy was not being followed. We fixed the problem and retested and, of course, it passed this time. Throughout the process we received detailed communications telling us what was happening and the results. The analytics are very good.
The product is reasonably priced and there is a very complete customer support portal. However, there is very little on the main website beyond marketing information. In order to get access to the most important information one must already be a customer. Once inside the support portal, the documentation is substantial. However, when we tried to access an installation manual we were told that we needed to Contact https://www.the company even though we were authorized portal users.
Basic support is included and there is a premium level of assistance available as well.