enablement of additional use cases, which is required for Archer's expansion into the EGRC market Archer's SmartSuite Framework is sold primarily as software, but is also provided as a software-as-a-service offering that's sometimes used as a quick start for new customers.products main strengths are the following.
1.The software offering provides a flexible framework that can be adapted to resolve a variety of GRC use cases;
2.The ability to customize to fit needs and existing processes;
.Pending integration with other products in the EMC/RSA portfolio., the product has the following problems.
1.Cost is frequently raised as an issue by customers and other evaluators;
2.The Archer Technologies road map may be at risk after the acquisition - especially the support for providing EGRC platform functions, due to the IT-centric nature of EMC's core businesses.offers the EGRC Platform. The company recently introduced the MetricStream IT GRC Solution to address IT GRCM use cases. Control self-assessment survey, policy distribution and attestation support is provided. The product provides basic support for the general computer control use case through out-of-the-box integrations with BigFix for security configuration assessment, Nessus (through a third party) for vulnerability assessment, and others through a user-configurable adapter. Native automated IT assessment capabilities are not provided. Control management mappings are all based on unified compliance framework, thereby making MetricStream most appropriate for organisations seeking a top-down approach to IT GRCM,products main strengths are the following.
1.Good survey functions, including automatically generated surveys from controls and some out-of-the-box survey content;
2.Native connectors to selected third-party vulnerability management products;
.Good customer support., the product has a problem. Content is all based on unified compliance framework that supports the approach of using single assessment result as a part of different reports, thereby limiting applicability for bottom-up, IT-centric control management requirements.is an established IT GRCM vendor with executive management in Brazil and the U.S., with European operations, and with a growing North American presence. It has the ability to address EGRC use cases. The company is large and the products have a good track record, which positions them to do well in North America. Modulo continued to improve its sales and marketing presence in North America through 2009. Modulo has a sales office in the U.S., but its visibility in competitive evaluations remains limited. IBM Global Services uses Modulo in its risk assessment consulting engagements. Modulo's Risk Manager supports the self-assessment, audit support and automated general computer control use cases. In addition, Risk Manager delivers a large amount of content for IT technical controls, as well as predefined policy content for most major security configuration standards. Version 7, which is scheduled to be released in May 2010, provides a new user interface.products main strengths are the following.
1.Mature products and a strong company;
2.Good auditor workflow support;
.Large amount of vendor-developed content for IT technical controls, and predefined policy content for most major security configuration standards;
.Native support for general computer control and formal support for multiple vulnerability assessment products., the product has the following problems.
.The maturity of the product has made its interface complex for users;
.End users have reported configuration difficulties.is an EGRC product, but it has recently introduced the component named ITG that provides support for some IT GRCM use cases that are dependent on unified compliance framework. The majority of OpenPages customers use ITG for policy management, risk management and compliance reporting. Policy distribution and attestation functions are flexible and customizable, but the product currently lacks IT-specific content in this area. The major weakness of the product is in the area of automated general computer control measurement. There are no predefined security configuration policies and no native capability of supported integrations for security configuration assessment or vulnerability assessment. OpenPages is most appropriate for organisations taking a top-down approach to GRCM requirements.products main strengths are the following.
1.Use cases that focus primarily on EGRC and secondarily on IT GRCM;
2.Policy management and self-assessment., the product has the following problems.
1.Automated collection for general computer control support is limited to a generic integration interface, and integration with only one product from third-party vendor is available;
2.Vulnerability assessment support is in development;
.IT-specific content is dependent on unified compliance framework mappings.Security has rebranded to Rsam to reflect the evolving usage of its product beyond traditional IT security use cases. The Rsam product is a strong IT GRCM offering with the ability to support non-IT requirements. Although Rsam doesn't have its own data collection service, it supports a third-party application programming interfaces for customers to execute their own scripts, and supports multiple formats for import from third-party data collection products. Rsam also supports remediation and exception management with good workflow, and the risk management function has the capability to create scoring and correlation among objects, survey responses and control states. Organisations seeking to automate operational risk assessment, audit automation and IT control management should consider Rsam.products main strengths are the following.
1.Strong, flexible survey functions with a large amount of predefined content, and 30 or more predefined surveys;
2.Good workflow to manage the identification and remediation of threats;
.An application programming interface that customers have used to integrate with other third-party data collection products;
.Formal integration with 17 commercial scanners;
.Flexible drag-and-drop customization for interface and reporting., the product has the following problems.
.Rsam lacks a native general computer control collection capability;
.No predefined security configuration policies.'s Control Compliance Suite (CCS) is specifically focused on IT GRCM and comprises three modules: Policy Manager, Standards Manager and Response Assessment Manager. Automated general computer control is provided by the CCS Standard Manager, which is widely deployed by customers for configuration policy compliance in the security operations role. Symantec has the largest installed base of security configuration policy compliance customers, which is spread across its CCS Standards Manager and Enterprise Security Manager products. Symantec is selling Control Compliance Suite into this installed base, and is beginning to sell it to buying centres that are oriented toward risk and policy management; however, automated computer control measurement often isn't the initial focus of these other buying centres. The solution is not optimal for organisations that want integration with third-party assessment technologies, because Control Compliance Suite does not provide out-of-the-box integration with non-Symantec sources. Control Compliance Suite is most appropriate for Symantec-centric organisations, but not recommended for organisations with top-down EGRC requirements.products main strengths are the following.
1.Automated general computer control definition and measurement, especially for Symantec products;
2.Largest installed base of general computer control and measurement users;
.Potential to capitalize on a large service organisation;
.Symantec has strong native security configuration assessment capabilities, and also has native network vulnerability assessment functions., the product has the following problems.
1.Use cases that aren't focused on Symantec technologies for configuration assessment;
2.Third-party general computer control support is limited to generic interface - no formal support of specific third-party sources;
.Symantec integrates with third-party ticketing systems, but has only basic support for remediation workflow within CCS;
.Mostly compliance reporting with only a light treatment of risk.provides services and software products primarily to the U.S. federal government, and is still in the early stages of its expansion into commercial segments. Telos Xacta IA Manager is primarily oriented to compliance with government regulations, such as the U.S. Federal Information Security Management Act (FISMA), automated general computer control measurement, risk assessment (of technical controls) and tracking mitigation activities. Telos has expanded Xacta content for common commercial regulations and control frameworks, but the company still lacks significant experience in servicing commercial organisations. U.S. federal agencies with FISMA requirements should put Telos on their shortlists for IT GRCM products.products main strengths are the following.
1.Appropriate for organisations that need to comply with government regulations;
2.Strong support for automated general computer control measurement and mitigation workflow;
.Comprehensive asset-oriented technical assessment, survey evaluation, and reporting. general computer control - strong native capability in combination with formal integration, with a few major scanners., the product has the following problems.
1.Development of policy and control framework content for commercial regulations;
2.Little support for