RSA Archer GRC
Strengths: This is industrial strength GRC. It has just about everything that a large organization needs to manage risk, compliance and governance and is very comfortable with connections to third-party tools.
Weaknesses: This is only a weakness for smaller organizations but this is a pricey product. However, on the other side of that coin, for that level of organization it likely would be overkill.
Verdict: If you are the sort of organization that needs this level of GRC, this one is well worth examining in depth.
The RSA Archer GRC is a platform that integrates with a number of modules such as policy management, vulnerability risk management and content library. The platform is included when any of the modules are purchased and it consists of interface, application and database tiers. The exception is the RSA Archer Vulnerability Risk Management tool which requires a bit more horsepower due to its powerful analytics engine. The system connects seamlessly with a large number of third-party products and threat feeds.
The user interface is interesting in that it has tabs based on functionality. We entered through the Executive tab and found that the charts and drill-downs were appropriate for executive consumption without being "dumbed down." The dashboard has a lot of information on it and, clearly, is designed to answer executive-level questions, such as "What is current compliance posture?"
From the executive level we moved over to the Enterprise Management tab. Here we found menu choices that addressed the business hierarchy, business infrastructure and the IT infrastructure. The top level, as one would expect, is largely charts and graphs. However, selecting a menu item took us to far more detail. In this case there was a lot of detail about the applications on the network.
Policy management is excellent. The policy engine consumes all major standards, and users can input content as well. Searches are fast and exact and all of the mappings that one would expect are available. Here, however, one can not only manage policy but also can manage issues such as audit findings, remediation plans, exception requests and policy change requests. Policies, as expected, are mapped against authoritative industry standards such as NIST, Cobit, etc.
In addition to the mapping between policies and standards, there is a mapping between policies and standards to control procedures. This - the control procedure - is the testable piece, and various types of testing, such as control self-assessment, can be applied here. There is a lot going on in the Policy Center. Here you can manage the policies, standards and procedures. Even the dashboard can be customized to customer needs. In this case, we saw a training and awareness portal.
There is a dedicated portion of the system for compliance management. As with all of the other major functions, compliance has its own dashboard and sidebar menu of functions. There is functionality for change management at the compliance level. The risk management module has an extensive navigation menu sidebar and virtually every aspect of measuring and managing risk throughout the organization is available here.
Of course, the risk module has an associated risk register which documents risks at whatever granularity the organization chooses. This is a very detailed description of risks, including inherent risk, residual risk and warning indicators if the risk requires attention. The system is capable of Monte Carlo simulations. The analytics in the overall system are impressive. Questionnaires can be built and added into the workflow so self-assessment becomes nearly automatic. Negative findings automatically go into a remediation workflow.
Finally, the tool set provides incident management. This is quite sophisticated and, based on the predetermined workflow, appoints an incident handler. The handler can manage the incident completely including managing the Security Operations Center during the incident. Post-incident follow-up can be automated as well.
The Vulnerability Risk Management module consumes vulnerability and threat data and applies sophisticated analytics to derive workflows for tickets, reports, risk management and connection to GRC functionality.
This is a rather pricey tool but it is very serious high-end GRC. For the organizations that need this level of coverage it will benefit. Basic support is included and there are fee-based options as well. The website is well-provisioned and has a very good support section.