Symantec Control Compliance Suite v11
Strengths: Dynamic dashboards; pivot-based reporting; full integration between managers.
Weaknesses: Licensing model; support is costly.
Verdict: Well integrated, full featured, all-encompassing GRC platform.
Symantec Control Compliance Suite (CCS) automates key IT risk and compliance management tasks. It is an integrated solution comprising several different modules, including vulnerability, security, risk, policy, assessment and vendor risk management. Users can deploy a combination of these modules to meet business objectives. The CCS risk approach includes a definition of a business asset that one wants to manage, understand the IT risk for this asset, prioritize remediation based on IT risk, and then monitor risk reduction.
CCS Risk Manager is a new module that allows users to create a view of IT risk as it relates to a business asset - whether that's a business process, group or function. This piece provides the ability to define a virtual business asset that one can manage from an IT risk perspective. By grouping together all of the IT ingredients associated with one's virtual business asset, the user can manage the composite risk associated with it. Risk can then be determined from assessment-driven results and vulnerability information.
The Policy Manager helps one plan for internal and external audits using more than 150 customizable policy templates, all mapped to centralized controls. Policy lifecycle management and policy-attestation tracking are all built into the module. The Assessment Manager delivers out-of-the-box content for multiple regulations, frameworks and best practices. Its content is based on an OVAL (open vulnerability and assessment language) model. Symantec also delivers content based on its own content team. Vulnerability Manager delivers end-to-end vulnerability assessment of web functions, databases, servers and other network devices. Additionally, CCS natively gathers security configuration data from server, database and application platforms. Data can also be consumed from external asset systems, including Active Directory, Altiris and other configuration management databases (CMDB). Third-party assessment data is ingested through External Data Integration and Connectors using comma-separated values (CSV), open database connectivity (ODBC), or web service connectivity. Advanced risk scoring allows users to differentiate between real and potential threats, ensuring the most critical and exploitable vulnerabilities are given priority when it comes to remediation efforts.
Dynamic dashboarding and reporting are updated in this release - and are well done. Risk and compliance scores roll up neatly, and the ability to move right from reporting into remediation workflows, controls review and risk-scoring detail helps every level of user. The data framework and extensive controls library provide a normalized view of one's data, and the analytics capabilities deliver valuable information to the reports and dashboards. One can move right from graphical views directly into the pivot-based detail, making it simple to research or interrogate the information.
No base support is included with the product. There are basic and essential assistance options available for purchase at 23 and 28 percent of the manufacturer's suggested retail price. Support options are accessible via phone, email or web. - ML