eGestalt Technologies SecureGRC Enterprise
Strengths: Strong on content, clean graphical display, very dynamic; liked the user interface; deploys quickly.
Weaknesses: Cloud-based-only option; no current correlation of risk to asset items.
Verdict: Easy to buy, use and manage for questionnaire-driven risk assessments.
SecureGRC is a cloud-based automated IT security and compliance management solution. SecureGRC supports both a security centric and full blown IT-GRC platform. The offering comes complete with an easy-to-use compliance-management framework, context-based inference engines, alert processing and easy-to-use logging and monitoring solution. The tool features easy-to-adopt and ready-to-use compliance management frameworks, as well as context-based inference engines. In addition, SecureGRC features alert processing along with logging and monitoring capabilities.
Available in Enterprise and SB (small business) editions, SecureGRC is a cloud-based, SaaS-delivered security and risk assessment, auditing and remediation application. It is generally sold through its reseller channels. All data is stored in a SaS 70 Type II secure data center and no electronic record information is removed from a client site.SecureGRC contains ready-to-use compliance control kits for PCI-DSS 1.2, ISO 27001/27002, COBIT, Sarbanes Oxley, HIPAA/HITECH, Gramm-Leach-Bliley Act, and other country-specific frameworks.
The tool provides real-time status on the current state of security and compliance and then offers a checklist of questions that guides the process along, asking for proof of documentation to fulfill the compliance request.
No prior knowledge of any particular compliance regulation is necessary in order to use SecureGRC. As a hosted solution, the interface is a web browser. Older browsers are not supported. The user interface is fairly easy to decipher with pull-down selections for customized assessments, controls, risk ratings and more. Users simply follow the application's list of instructions, upload the required documents and the system in the end will generate a report that can be presented to auditors to prove compliance. There is a substantial amount of prepopulated content around the regulatory and compliance standards listed above. Setup requires one to establish user accounts and provision them based on required levels of access. One then selects the templates needed for creating assessments from the list, customizes as necessary and publishes the assessment. Emails are sent to the users with their credentials for accessing the assessment questions.
There is a closed-loop review process where the auditor can ask for additional information to complete the assessment. Once this process finishes, the compliance reports are generated. One doesn't have to be highly technical to use the tool. There is a sensible knowledge base built in that dynamically displays key information relating to the areas one is clicking on.Documentation is built into the product with a series of drill-down mouse clicks to get to help-related information on a specific topic. Support is delivered via channel partners so fees will vary. If the next version can add in asset management and IT risk correlation, this would be a great product to look at if you are looking for a hosted GRC solution.