This is an interesting product. It focuses on taking GRC into an IT environment and aligning it with business priorities to manage security and compliance. For the most part it succeeds at this quite well. The product can be delivered on-premise or from the cloud. The user interface is very clean and, in fact, the main landing page actually is rather spartan. All that is on it are the tabs for each section of the program and a list of task statuses. While that might seem like a farly lightweight landing page, in this case less actually is more.
We started out in the assessment menu, selected from the tabs in the landing page. Here the menu was a bit more colorful. Laid out in sections - Assess, Remediate, Charts and Tools - we could select whatever function we needed. This is a very straightforward, icon-populated menu. Since we were logged in as a manager, we decided to check the results of assessment tasks. Once on that page we selected "Submitted Tasks Needing Review" and filtered by project. We got a very concise task list with the status of each one.
Drilling a bit deeper, we selected a task, ComplianceAssessment Task A.10.2.1: Service Delivery in Assess Test. We were provided with the task; the details, including the question to be answered; and the results. In this case, no approvers had checked in on the status of the task.
Had we wished, we could have approached this through the individual risk instead of through the tasks. In that case we would see a complete description of the risk, the appropriate controls, any tasks associated with it, and a space to add it to the risk register. Once we completed the tasks - or not, as the case may be - we could check the domain score charts
For remediation, the tool sports its own ticketing system, but if you are already invested in something such as Remedy, you likely will be able to connect to it. As with most competent risk management systems, this one has closed loop remediation, ensuring that remediation not only is completed but that the fix actually works. There is a lot of mapping available so that means that data used in one assessment cuts across other assessments as appropriate.
The assessment domain scoreboard is a beautiful piece of visualization. Unlike just about every similar scoreboard we've seen, this one is a wheel consisting of two concentric circles that line up with audit items in the center and the individual tests associated with them around the outer circle. The tests - or tasks - around the outside show as red or green. The state of a particular audit/assessment - in this case a PCI assessment - is instantly obvious. Details, of course, come when you drill down. Another very useful report is the gap analysis. This shows the difference between what is satisfactory and what is not and what must be done to narrow the gap. Again, lots of drill-down on this one.
The vulnerability section can take data from a variety of tools. One of its most important functions is new asset discovery. When it sees a new asset, it performs a risk analysis of it. Ticket generation is automatic and feed a workflow. Tickets can be auto-closed or require a human to close them. The policy library is extensive and can be supplemented. New policies can be made from old ones and the policies can be mapped to specific controls. The tool has a very good incident management system that automates much of the manage-investigate-remediate-report lifecycle. As in the rest of the product, visualization is excellent and the ability to perform what-if analysis results in very graphical displays.
Price on this is reasonable with lots of options. Although there is no support included, the company prices assistance options in five different price bands. The website is reasonably complete, but is a bit shy of support details, focusing more on marketing.