Rsam GRC v8
Strengths: Strong assessment and workflow tool set; strong data import abilities; universal risk taxonomy.
Weaknesses: None noted.
Verdict: Enterprise risk management (ERM) approach is solid, and consolidates, prioritizes and visualizes risk in an ongoing model.
Rsam GRC v8 is a platform for risk management and security risk intelligence enabling organizations to perform risk assessments, manage compliance, threats and vulnerabilities, policies, remediation activities, issues, incidents and more. Rsam differentiates itself from traditional GRC platforms by focusing more on proactive enterprise risk management (ERM).
The tool is offered either as an in-the-cloud SaaS offering or as customer on-premise software. It runs on Windows Server 2003/2008 with SQL database backend, IIS and .NET Framework. One can deploy the product on virtual machines, shared environments, clustered environments or standalone servers.
The modules that are part of the suite include: risk, compliance, remediation, threats/vulnerabilities, audit, incident management, policy and vendor risk. These components are all rolled into the risk analytics engine. Modules are licensed separately. There is a brand new user interface in this version - clean and easy to follow - with tabs across the top for the various modules and navigation panes below.
Rsam provides a fully automated policy management lifecycle. In Rsam, policy structures support unlimited hierarchical levels and policies can be authored directly in Rsam or imported from Word, Excel, databases or web API calls. As well, policies can be linked to Rsam's robust content library, encompassing 10,000-plus, road-tested controls, which are carefully cross-mapped across compliance/industry standards, such as ISO 27002, FFIEC, GLBA, NIST, COBIT, HIPAA, PCI and SOX. Form-driven menus drive users through the assessment-creation process and one has an automated workflow to move, measure and manage the assessment through the process. The data gathering and bulk management of the information is impressive.
The risk analytics module creates dynamic rules that maximize management of policies, risks and findings. Customer can define their own custom risk-driven rule sets. The output of the assessments, threat and vulnerability imports generates "findings."
Getting data into Rsam has been enhanced in this release. The tool's universal connector is data-source agnostic and allows customers to integrate data from other existing tools without waiting for Rsam to establish a formal relationship with that third party product. The universal connector integrates with just about any other tool, either via direct API calls, database queries, file exchanges or simple SMTP messaging.
Also, there are numerous out-of-the-box risk management reports, plus a tool for creating custom dashboards. The new dashboards are solid. Also new are capabilities for universal and metrics search that allow for the scheduling of a function to be run and posted to a dashboard.
The built-in documentation and help function is done well. Training, a knowledge base and help guides have all been updated. Rsam annual support and maintenance comes in at 20 percent of software license fees. Technical support is provided via phone, email and WebEx. Support hours are 8 a.m. to 8 p.m. EST. Assistance includes updates/upgrades to Rsam software and content templates. - ML