Lumension Risk Manager v4.4
Strengths: Interface provides a great user experience, out-of-the-box controls, and the ability to overlap them to multiple mappings.
Weaknesses: Pricing per node and additional fees for UCF content can make this an expensive offering for a larger enterprise.
Verdict: Good survey-/assessment-driven compliance and business risk tool.
Lumension Risk Manager (LRM) is a compliance and risk management solution that provides a framework for streamlining compliance management and assessing business risk. It provides visibility into compliance and risk through four capabilities: risk profiling, controls framework, controls assessment and risk/compliance reporting.
The solution is delivered as on-premise software running on one's hardware. It is a Java-based web application running on a Microsoft Windows Server that can be viewed on any MS Windows-compliant device. LRM deploys on Windows 2005-2008 and SQL Server 2005 through 2008 R2.
The product is designed as a compliance and business risk assessment tool, combining compliance and risk management into a single process. It is geared to providing end-to-end visibility of all control activities needed to ensure protection of information. It harmonizes common controls from more than 450 regulatory standards into a single set of controls, thus easing the burden and duplication inherent in manual compliance management practices. In short, LRM can assess a single control once and apply it to any standard or regulatory requirement. The tool's Risk Intelligence Engine allows it to easily correlate an organization's policy against regulatory standards while measuring the business risk of vulnerabilities in an IT environment.
Its risk profiling offers modeling of the risk between IT assets and the business interest. Assets can be brought into the system with its Connector Development Kit. There are a few prebuilt connectors, SIEMs, vulnerability scanners and patch management solutions. There is also a published application programming interface (API) for bringing in asset data and other security data. Framework Controls capture control requirements mandated for the proper level of risk mitigation. This effort maps controls to satisfy compliance requirements. The Assessment Controls function assesses the technical, physical and procedural controls to provide a single view and measure (score) of compliance. Risk and Compliance Reporting delivers a metrics-driven set of reports supporting executive decision-making.
The survey process drives the business risk assessment and covers vulnerabilities, environmental/natural risks, loss or theft risk, and regulatory failure. It uses analytics to assist in the review of risk. Administrators can employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects.
To assist in managing the raw amount of data associated with each of these, LRM analyzes the data and puts it into a category of meaningful, neutral or less meaningful. Each of these can be assigned a custom risk value that rolls up into the final risk calculation.
Lumension provides both standard and premium support options as part of its subscription cost of the software. Standard options include 8 a.m. to 5 p.m. phone-based technical aid, along with email assistance with one-day response and access to the Lumension online customer portal and knowledge base. Premium support is available for a fee and includes 24/5 live phone support. - ML