Lightwave Security SecureAware v3.7.2
Strengths: Awareness tools and acknowledgments and testing; BCP inclusion; very nice UI.
Weaknesses: Cost, truly assessment-driven tool for measuring risk.
Verdict: Great tool for developing an enterprise GRC plan and risk management solution.
Lightwave Security's SecureAware is a risk and compliance management and reporting platform supporting industry-standard frameworks, such as ISO 2700x, PCI DSS and CoBIT 4.1. The solution includes four modules: policy and awareness, compliance, risk management (used for the setup and launch of risk assessments), and business continuity planning.
A menu-driven web interface walks admins through setting up risk assessments by defining systems, processes and the process system relation. Business impact, vulnerabilities and threats are all documented through the use of questionnaire-based assessments and reporting on vulnerabilities at the network asset and process level, and managing the workflow associated with the remediation of risks. Risk assessments are derived from the enterprise security policy and are customizable to the standard to which the enterprise is aligned. Regardless of the standard to which users map, the risk assessment methodology complies with ISO 27001/27002 standards. The workflow engine was nice. It integrated with AD and LDAP natively to facilitate the tracking of tasks, questionnaires and documentation. Email alerting and notification is also included.
SecureAware offers the ability to report an enterprise-risk profile on a continuous basis through its dashboard and report-writing capabilities. A browser-based graphical presentation of risk data, business impact, risk assessments and risk analysis is also included. There is a lot of content provided to easily create and customize the assessment questionnaires. A real nice feature is the ability to drive awareness through not only a document management process, but also through a testing module to assess if the documents are actually being read.
The solution is sold as a software solution and deployed on either a Windows or Linux server. It's a very light and simple implementation. Eght-hours-a-day/five-days-a-week phone and email support is included for the first year and provided at a fee after that.
This solution focuses on the business-risk side of the equation. It provides very nice tools for creating the policies and measuring and mapping risk to those policies and industry standards. From a policy management/risk management aspect, this is a good tool. We like that it also includes business continuity planning in the risk management process.