Strengths: A very complete GRC solution that is easy to use.
Weaknesses: A bit pricey, but it provides a lot for the money.
Verdict: A strong GRC solution for large enterprises that has all the tools needed to develop and manage a risk and compliance program. Recommended.
Rsam v7.0 is a comprehensive, seventh generation risk and compliance management solution providing assessments, audit, compliance, control testing, enterprise risk management and incident management. It issues remediation to threats and vulnerability and vendor risk.
The tool is an out-of-the-box governance, risk and compliance (GRC) management platform enabling organizations to seamlessly integrate and manage key elements of risk and compliance programs. These include regulatory and standards-based assessments, data from existing scanning devices and ad-hoc auditor findings. It then applies comprehensive risk analytics, generates metrics and dashboards, and prioritizes and manages the remediation of the resulting issues across repeated lifecycles. Rsam includes an intelligent survey system with out-of-the-box assessments, a universal API import engine, strong workflow with risk analytics capability, advanced risk scoring and drag-and-drop dashboard creation.
Customers can choose to leverage Rsam's pre-populated, best practices frameworks (including ISO, NIST, COBIT FFIEC, HIPAA, PCI, BITS, GLBA, SOX), incorporate their own existing templates and processes or any combination of the two. All Rsam domains are mapped in the background allowing clients to assess targets once, and then map responses to multiple areas of compliance. There was a lot of content provided with the base solution, and the tool did a great job providing the summarized, correlated view of risk with various standards and regulatory controls.
The user interface was clean and intuitive and provided a drag-and-drop-based tool for quickly creating question/response assessments. Full risk-based workflow tools are included and include sign off/validation controls for awareness and auditing. The solution supports imports from industry standard vulnerability scanners and inventories. The user interface really put a lot of useful information right at our finger tips and made it very easy to drill down and navigate.
Support is available for a fee and includes phone, email and WebEx. The solution can be purchased either as client-side software or as a hosted SaaS offering. The client software typically deploys in 40 to 60 hours on a Windows server and requires a SQL backend.
This is a strong GRC solution for large enterprises. It has all the tools needed to develop and manage a risk and compliance program. We select it as our Recommended product.