Risk & policy management Group Test | SC Media

Product Group Tests

Risk & policy management

Group Summary

The tools that we are reviewing are a group of very sophisticated, many-faceted products. Broadly, they fit into the category of governance, risk and compliance (GRC), but they are a lot more and, perhaps, a bit less.

You can select a maximum of 3 products

thumb for Agiliance RiskVision v6.0 SP2
thumb for AlgoSec Security  Management Suite
thumb for Lumension Risk Manager
Lumension Risk Manager
Rating: 4.00
thumb for NetIQ Secure Configuration Manager
thumb for NetWrix Change Reporter Suite
thumb for SolarWinds Network Configuration Manager
thumb for Tripwire Enterprise
Tripwire Enterprise
Rating: 5.00
thumb for Tufin Security Suite
Tufin Security Suite
Rating: 5.00
thumb for Symantec Control Compliance Suite v11
thumb for Citicus ONE release 3.4
thumb for eGestalt Technologies SecureGRC Enterprise
thumb for LockPath Keylight Platform v2.3
thumb for MetricStream Risk Management Solution v6.0
thumb for Modulo Risk Manager v7.6
thumb for RedSeal Networks RedSeal v5.0
thumb for Rsam eGRC Platform v7.5
thumb for Viewfinity Privilege Management
CLICK compare selected items for a side by side comparison of products

full group summary

As I commented in my opener this month, the tools that we are reviewing are a group of very sophisticated, many-faceted products. Broadly, they fit into the category of governance, risk and compliance (GRC), but they are a lot more and, perhaps, a bit less. Confused? Don’t be. It’s really quite simple to discuss, though not quite as simple to do.

Governance is the overarching description of the policies and directions of an organization from the top. Directors, CEOs, presidents and CIOs, for example, are involved in setting the standards for governance within the organization. They set those parameters based on best practices, regulatory requirements, the business environment in which the organization exists, and the environment of the organization itself. Governance can be a bit abstract, but as we go from the general to the specific, we start to enter the domain of the tools we are examining.

Risk management requires that risks be identified and managed. We measure risk in terms of threats, vulnerabilities and impacts. We hope to be able to analyze risks and determine the best way to manage them. We have lots of choices, not all of which will apply equally. It may be easier in some cases to manage vulnerabilities by patching or adding some countermeasure, such as a firewall, to block access to the vulnerability.

For a vulnerability to be exploited there needs to be a threat, and the threat agent must have access to the vulnerability. That access is called reachability. So the notion of reachability is inherent in the notion of vulnerability. The issue is complicated a bit by the fact that, today, attacks often are not simple one-off exploits. They may be chained exploits within the enterprise itself or they may require the use of a pivot (a vulnerable device that can be compromised and then used, in turn, to compromise other devices that trust it). That means that analysis – and subsequent management – of vulnerabilities is not a simple process.

Sometimes, it is easier and more efficacious to manage threats. In that case, we usually place some sort of countermeasure between the threat and exploitable vulnerabilities in general. The problem with that is both threats and vulnerabilities are an ever-shifting landscape and, therefore, challenging to manage. That is where the tools that we are reviewing come into the picture. They handle this dynamic environment far more efficiently than can a human administrator.

Compliance is the third leg of the GRC stool. It is the elephant in the room. Compliance is expensive and complicated, but necessary. While fines are not particularly common yet, the penalties for being out of compliance with regulatory requirements can be significant. More important, a case of ID theft traceable to an organization’s negligence in maintaining compliance can result in lawsuits.

Managing GRC means controlling both risks and the configurations of the devices meant to implement policy as a countermeasure to risk. It is a basic tenet of information assurance that one must have a technical way to enforce policies. Simply telling people that they need to follow certain password rules, for example, is not a reliable way to implement that policy. The system needs to have a way to enforce the plan. Policy management tools do that for you.

When one combines risk and policy management into a single tool the best of both worlds is available. One analyzes the ever-changing risk landscape and then adjusts appropriate devices in the enterprise to mitigate the discovered risks.

Clearly, we don’t usually behave in that old-school manner, but GRC management done manually is not far different. If yours fits into any of the many categories of organizations that must be compliant with the multitude of regulatory requirements that bedevil – and protect – us, the tools we look at this month are critical to success. Even if your enterprise doesn’t, take a close look at these products because they will, undoubtedly, simplify your life.

All products in the group test