RCM technology continued to mature through 2009 and growth is steady, but the market remains relatively small ($117 million in 2009) because most organisations are not ready to implement. IT GRCM automation. The market continued to grow during the worldwide economic downturn in 2009, indicating that automating the mapping and measurement of compliance controls remains a priority for organisations.platforms serve organisations that take an enterprise approach to compliance and risk management, and that want to have all business units, including the IT organisation, on the same GRCM solution. Most vendors with EGRC platforms offer modest IT governance automation functions. At a minimum, most EGRC vendors offer the capability to document, survey, and report IT risks and controls, but lack IT-specific content. Some vendors also provide limited support for an IT asset repository and IT policy management. Organisations with a primary interest in IT-centric GRCM requirements should be aware that most EGRC platforms balance finance, operational and IT requirements at the expense of IT-centric depth.GRCM products support operation risk management through functions that measure, manage, and report on IT-centric technology and process controls. Organisations can use IT GRCM products to document and assess their IT-centric technology and process controls. The core IT GRCM functions are the following:
.Controls and policy mapping;
.Policy distribution and training attestation;
.IT control self-assessment and measurement;
.IT GRCM asset repository;
.Automated general computer control collection;
.Remediation and exception management;
.Basic compliance reporting;
.IT compliance dashboards;
.IT risk evaluation.software products also help organisations to proactively measure and manage their IT technology and process controls. The typical additional functions of these products are the following:
.Definition of IT policies, processes and controls that are based on best practices;
.Management of policy content;
.Mapping policies to process and technical controls, as appropriate;
.Automating the measurement of process and technical controls;
.Evaluating levels of compliance with various mandates;
.Automating the auditing and regulatory reporting of these elements.should define their basic approach as top-down or bottom-up, and use this to guide their requirements definition.top-down approach implies that IT GRCM is only one of the control categories that will be measured and reported, along with financial governance and operational requirements such as environmental, health and safety. Top-down usually requires less-detailed requirements for gathering general computer control data, such as configuration and patch data, but places a premium on higher-level reporting to executives. A top-down approach is more appropriately addressed with EGRC platforms.bottom-up approach implies greater detail in IT controls for an IT-centric audience. Many organisations use IT GRCM to organize their vulnerability scan, patch and configuration control data. Traditional IT GRCM tools are more appropriate for IT-specific requirements.most significant limiting factor for the IT GRCM and EGRC products is the divergence of requirements between top-down and bottom-up approaches. In many cases, organisations are buying two separate tools, indicating that this difference is more substantial than just vendor marketing and different buying centres.divergence is based on the differences in management and reporting requirements for top-down vs. bottom-up. Top-down tends to be led by enterprise risk management teams addressing business executive requirements, as opposed to bottom-up requirements, which are typically led by IT or information security operations teams, The vendors continue to add functions that overlap top-down and bottom-up requirements, but convergence will only happen when organisations stop buying multiple tools to address diverging requirements and agree on one tool as addressing both approaches comprehensively.comparison of GRC products the following evaluation criteria are used.understanding - capability of the vendor to understand the buyer and the major functional requirements of an IT-focused GRC deployment, as opposed to the requirements of finance or operational-risk-focused GRC deployments. This criterion is weighed high in general estimation.experience - feedback from customers that have evaluated or deployed IT GRCM solutions is assessed with regard to the fit of function to IT GRCM use cases, the maturity and stability of IT GRCM functions, the code quality, and the quality of support. This criterion is weighed standard in general estimation.strategy - an evaluation of the vendor's overall strategy for IT GRCM, including the sales strategy, product differentiation, capability to capitalize on an existing customer base, and the use of GRC capabilities to enhance other elements of a technology portfolio. This criterion is weighed low in general estimation./service - an evaluation of IT GRCM feature sets as they map to current and future requirements, with a focus on IT-specific GRC content, IT control assessment automation, and the capability to assess at IT asset level. This criterion is weighed high.execution/pricing - an evaluation of the vendor's success in the market, based on the size and growth rates of the customer base and revenue. This criterion is weighed low in general estimation.- the capability of the organisation to meet its goals and commitments in sales, development and product support. This criterion is weighed low.
1.4 Modern IS management solutions
.4.1 Analytical overview of the existent solutions
The document  provides the information for the analysis of GRC solutions present on the worldwide market as of April 2010. The research considers products of dominating vendors (Agiliance, BWise, ControlCase, EMC (RSA), MetricStream, Modulo, OpenPages, Rsam, Symantec, Telos, Trustwave, Lumension).remains a leader in the IT GRCM market. Although one of the original vendors to provide an out-of-the-box architecture, Agiliance moved to a modular offering in late 2009. The highlight of the RiskVision offering remains its intuitive interface and its top-down approach to managing IT-related controls. Agiliance continues with a Strong Positive rating in 2010, and should be considered by organisations that require balanced IT GRCM functionality across all categories.products main strengths are the following.
1.Good out-of-the-box policy and assessment data;
2.The risk assessment functions are comprehensive;
.Good detail and flexibility for confidentiality, integrity and availability assessments., the product has a problem. It is concentrated more on assessment, than on managerial functions.is an EGRC platform. Specific IT GRCM support includes an asset repository, IT-specific policy and control content, and policy mapping. Although BWise provides a general computer control integration interface, there's no integration with specific applications or platforms, BWise has particular strengths for buyers that are looking for a company-wide approach to GRC rather than an IT-specific solution, but it will be less appealing to buyers that are specifically focused on IT security and configuration management controls.products main strengths are the following.
1.Filtering reports to provide targeted views of risks and controls;
2.Productized rules and connectors;
.Product provides assertion, review and override workflows that are needed for audit and self-assessment activities., the product has the following problems.
1.No IT-configuration-level content;
2.No out-of-the-box support for common third-party general computer control data sources;
.No conditional branching in workflow;
.Limited flexibility in self-assessment compared with other products in the market.offers IT GRCM as software and as a service, ControlCase's primary business is Payment Card Industry (PCI) assessment services, and many of its IT GRCM customers are also using ControlCase services. The ControlCase GRC framework is composed of nine modules: Compliance Manager; Vendor Manager; Merchant Manager; Policy Manager; Audit Manager; Asset and Vulnerability Manager; Incident Manager; Compliance Manager; and Data Discovery, The product natively collects firewall configuration data and evaluates it against PCI requirements, which is unique among IT GRCM vendors. There are also automated sensitive data discovery functions, Self-assessment capabilities are present, but results analysis is basic. ControlCase is most appropriate for organisations with PCI-centric IT GRCM requirements and a need for bundled services.products main strengths are the following.
1.Good overall IT GRCM functions;
2.Automated general computer control capabilities are provided natively through a bundled solution and through integrations with a few other vulnerability assessment tools., the product has the following problems.
1.Exception management functions are limited;
2.As a PCI-centric vendor, ControlCase's offerings may not be appropriate for organisations seeking broader IT GRCM use cases.(RSA)Technologies (EMC/RSA) offers very good IT GRCM capability, which also supports a promising EGRC function. Archer was acquired by RSA, the Security Division of EMC, in 2009. Archer's SrnartSuite Framework provides a suite that's composed of eight management modules (policy, incident, asset, threat, risk, vendor, business continuity and compliance) that can be integrated. It is oriented toward large companies that value the ability to customize the product to match existing processes. The customizable framework supports the