TrustedAgent GRC v5.0.4 is an IT risk and governance tool modeled after the NIST 800-37 risk management framework - with two added steps that include define, categorize, plan, implement, assess, manage, authorize and monitor. The TrustedAgent Risk Management and Compliance Framework is also consistent with other industry information security management frameworks, including ISO 27001 and COBIT. TrustedAgent platform automates IT governance, risk and compliance processes including authorization, compliance, policy management, incident management, vendor and enterprise risk, and vulnerability management in one centrally managed application.
TrustedAgent centrally captures, measures and brings visibility to business and IT risks across business units, operations, functions and subsidiaries or vendors. The define effort starts with an inventory entity which can be a system, site program, vendor or other custom element. There is some effort that goes into setting up the hierarchy and adding in all the relevant detailed data. Entity data can be manually entered or imported via XML or Excel. Users will be configured at this point and manually mapped to entity items. Hardware and software assets will be defined as part of the entity using the same process. This is all accomplished through a web-based user interface and the navigation is much like browsing a web page. Once the basic entity, business definitions and asset definitions are created, TrustedAgent communicates and tracks adherence to policies and procedures, conducts risk reviews to particular standards, identifies exposed risk areas and manages remediation and mitigation activities.
Risks identified from audits, control assessments and vulnerability data are correlated, managed and linked to the affected asset. TrustedAgent offers multiple methods for risk-level determination, corrective action and risk treatment. Findings can lead to a corrective action. The workflow is manual in a sense that one needs to find and assign it a corrective action. There is a policy creation tool using some supplied content if one wishes to create policies versus importing them. The continuous monitoring feature helps keep data current and the integration with the incident management module ensure incidents, vulnerability assessments and compliance controls are identified, evaluated, retested and reported. TrustedAgent is built on a common control framework so the work one does for one body is mapped to the others seamlessly. The control and compliance interface is very good, along with the content authoring module. Users can create content on the fly - reports, etc. - adding anything in the system with little need for technical knowledge. This interface is much like a Google Docs interface and was really a strong plus for TrustedAgent.
Reporting was done well: numerous standard reports are available along with ad-hoc reporting using the tool described above with dashboards, metrics and geo-maps presented graphically with drill-down capabilities.
TrustedAgent is often installed in virtualized environments running on two segregated hardware boxes. The web/application server typically runs Tomcat 7, and the database server runs Microsoft SQL Server 2008. Most deployments integrate with Active Directory and a smart card as preferred authentication methods for users. Both the web/application and database servers use Windows 2008 Server R8 as the operating system.
Trusted Integration provides standard eight-hours-a-day/five-days-a-week phone, email and web support for the first year, and subsequent years if annual maintenance is purchased or a subscription is renewed at 25 percent of the license cost.
