STREAM is an integrated risk management tool delivered as a software product consisting of a database server, an application server and a client component. The client component can be a web server if you so desire. Multi-user deployments require an additional SQL Server implementation as well as an application server, although the two can be combined into a single machine.
The big value in this tool is a low price that brings a lot of functionality. While this solution does not have some of the sophisticated data import mechanisms found on much larger systems, neither is it anywhere near as expensive. For all of that, its reporting and analytics are impressive. It clearly is aimed at providing a useful risk management tool at a low price.
Once data is imported to the tool, it may be played against a number of standards as well as your own internal controls. There are lots of dashboards and drill-down that allow analysts to craft reports that view the organization's risk position from a variety of perspectives. In addition, good workflow management allows creation of task sets for remediation and analysis.
The landing page is a general purpose dashboard and is typical of dashboards for this type of tool. It gives a quick graphical look at the organization's risk posture at that moment. You can drill down for more detail and that detail exposes just about all areas of risk management the average organization needs to address. As with most competent GRC tools, STREAM maps controls to standards and by tracking the controls also tracks the compliance with those standards.
Data can be input in a variety of ways - from manually to spreadsheets to direct feeds from vulnerability tests and threat monitoring. There is a lot of emphasis on assets and the impacts of threats and vulnerabilities on them, as well as their individual compliance with standards. There is a strong feature associated with this. You can map just about anything to anything, allowing a close inspection of where risks emerge and how to address them best. For example, you can map threat asset classes against control asset classes to determine how much applying a particular control to a particular asset will reduce the risk associated with that asset. This, in turn, is mapped back to the applicable control in the applicable standard.
There also is a detailed workflow capability that allows specific actions to be assigned to a particular group or individual, which then tracks the progress of the actions. Additionally, we liked the reporting capabilities. Lots of reports come preconfigured but it is not difficult to create entirely new reports. Some of these reports play against accepted standards, both actual and de facto. For example, there is a report that shows the organization's performance against the SANS Critical Security Controls. This can be a management-style report with quick-review graphs instead of tables of numbers.
Because security events make up an important part of the risk picture, the tool has a good event management capability. This, really, is an extension of workflow management but is specialized toward events. The details of the event appear in a menu and the incident is then assigned to the appropriate individual or group for management.
Support is typical with a level of assistance included with the annual license fee and an enhanced level of aid available for 20 percent of the license fee. Support includes both email and phone. Standard aid guarantees a three-hour response and an enhanced one-hour response. The website is clean with a lot of information, including support access, a knowledge base and an FAQ. Pricing is excellent, putting this tool well within the range of most organizations, if only at the single-user level.
The website is clean with a lot of information, including support access, a knowledge base and an FAQ. Pricing is excellent, putting this tool well within the range of most organizations, if only at the single-user level.