1.4 Modern IS management solutions
.4.1 Analytical overview of the existent solutions
The document  provides the information for the analysis of GRC solutions present on the worldwide market as of April 2010. The research considers products of dominating vendors (Agiliance, BWise, ControlCase, EMC (RSA), MetricStream, Modulo, OpenPages, Rsam, Symantec, Telos, Trustwave, Lumension).remains a leader in the IT GRCM market. Although one of the original vendors to provide an out-of-the-box architecture, Agiliance moved to a modular offering in late 2009. The highlight of the RiskVision offering remains its intuitive interface and its top-down approach to managing IT-related controls. Agiliance continues with a Strong Positive rating in 2010, and should be considered by organisations that require balanced IT GRCM functionality across all categories.products main strengths are the following.
1.Good out-of-the-box policy and assessment data;
2.The risk assessment functions are comprehensive;
.Good detail and flexibility for confidentiality, integrity and availability assessments., the product has a problem. It is concentrated more on assessment, than on managerial functions.is an EGRC platform. Specific IT GRCM support includes an asset repository, IT-specific policy and control content, and policy mapping. Although BWise provides a general computer control integration interface, there's no integration with specific applications or platforms, BWise has particular strengths for buyers that are looking for a company-wide approach to GRC rather than an IT-specific solution, but it will be less appealing to buyers that are specifically focused on IT security and configuration management controls.products main strengths are the following.
1.Filtering reports to provide targeted views of risks and controls;
2.Productized rules and connectors;
.Product provides assertion, review and override workflows that are needed for audit and self-assessment activities., the product has the following problems.
1.No IT-configuration-level content;
2.No out-of-the-box support for common third-party general computer control data sources;
.No conditional branching in workflow;
.Limited flexibility in self-assessment compared with other products in the market.offers IT GRCM as software and as a service, ControlCase's primary business is Payment Card Industry (PCI) assessment services, and many of its IT GRCM customers are also using ControlCase services. The ControlCase GRC framework is composed of nine modules: Compliance Manager; Vendor Manager; Merchant Manager; Policy Manager; Audit Manager; Asset and Vulnerability Manager; Incident Manager; Compliance Manager; and Data Discovery, The product natively collects firewall configuration data and evaluates it against PCI requirements, which is unique among IT GRCM vendors. There are also automated sensitive data discovery functions, Self-assessment capabilities are present, but results analysis is basic. ControlCase is most appropriate for organisations with PCI-centric IT GRCM requirements and a need for bundled services.products main strengths are the following.
1.Good overall IT GRCM functions;
2.Automated general computer control capabilities are provided natively through a bundled solution and through integrations with a few other vulnerability assessment tools., the product has the following problems.
1.Exception management functions are limited;
2.As a PCI-centric vendor, ControlCase's offerings may not be appropriate for organisations seeking broader IT GRCM use cases.(RSA)Technologies (EMC/RSA) offers very good IT GRCM capability, which also supports a promising EGRC function. Archer was acquired by RSA, the Security Division of EMC, in 2009. Archer's SrnartSuite Framework provides a suite that's composed of eight management modules (policy, incident, asset, threat, risk, vendor, business continuity and compliance) that can be integrated. It is oriented toward large companies that value the ability to customize the product to match existing processes. The customizable framework supports the enablement of additional use cases, which is required for Archer's expansion into the EGRC market Archer's SmartSuite Framework is sold primarily as software, but is also provided as a software-as-a-service offering that's sometimes used as a quick start for new customers.products main strengths are the following.
1.The software offering provides a flexible framework that can be adapted to resolve a variety of GRC use cases;
2.The ability to customize to fit needs and existing processes;
.Pending integration with other products in the EMC/RSA portfolio., the product has the following problems.
1.Cost is frequently raised as an issue by customers and other evaluators;
2.The Archer Technologies road map may be at risk after the acquisition - especially the support for providing EGRC platform functions, due to the IT-centric nature of EMC's core businesses.offers the EGRC Platform. The company recently introduced the MetricStream IT GRC Solution to address IT GRCM use cases. Control self-assessment survey, policy distribution and attestation support is provided. The product provides basic support for the general computer control use case through out-of-the-box integrations with BigFix for security configuration assessment, Nessus (through a third party) for vulnerability assessment, and others through a user-configurable adapter. Native automated IT assessment capabilities are not provided. Control management mappings are all based on unified compliance framework, thereby making MetricStream most appropriate for organisations seeking a top-down approach to IT GRCM,products main strengths are the following.
1.Good survey functions, including automatically generated surveys from controls and some out-of-the-box survey content;
2.Native connectors to selected third-party vulnerability management products;
.Good customer support., the product has a problem. Content is all based on unified compliance framework that supports the approach of using single assessment result as a part of different reports, thereby limiting applicability for bottom-up, IT-centric control management requirements.is an established IT GRCM vendor with executive management in Brazil and the U.S., with European operations, and with a growing North American presence. It has the ability to address EGRC use cases. The company is large and the products have a good track record, which positions them to do well in North America. Modulo continued to improve its sales and marketing presence in North America through 2009. Modulo has a sales office in the U.S., but its visibility in competitive evaluations remains limited. IBM Global Services uses Modulo in its risk assessment consulting engagements. Modulo's Risk Manager supports the self-assessment, audit support and automated general computer control use cases. In addition, Risk Manager delivers a large amount of content for IT technical controls, as well as predefined policy content for most major security configuration standards. Version 7, which is scheduled to be released in May 2010, provides a new user interface.products main strengths are the following.
1.Mature products and a strong company;
2.Good auditor workflow support;
.Large amount of vendor-developed content for IT technical controls, and predefined policy content for most major security configuration standards;
.Native support for general computer control and formal support for multiple vulnerability assessment products., the product has the following problems.
.The maturity of the product has made its interface complex for users;
.End users have reported configuration difficulties.is an EGRC product, but it has recently introduced the component named ITG that provides support for some IT GRCM use cases that are dependent on unified compliance framework. The majority of OpenPages customers use ITG for policy management, risk management and compliance reporting. Policy distribution and attestation functions are flexible and customizable, but the product currently lacks IT-specific content in this area. The major weakness of the product is in the area of automated general computer control measurement. There are no predefined security configuration policies and no native capability of supported integrations for security configuration assessment or vulnerability assessment. OpenPages is most appropriate for organisations taking a top-down approach to GRCM requirements.products main strengths are the following.
1.Use cases that focus primarily on EGRC and secondarily on IT GRCM;
2.Policy management and self-assessment., the product has the following problems.
1.Automated collection for general computer control support is limited to a generic integration interface, and integration with only one product from third-party vendor is available;
2.Vulnerability assessment support is in development;
.IT-specific content is dependent on unified compliance framework mappings.Security has rebranded to Rsam to reflect the evolving usage of its product beyond traditional IT security use cases. The Rsam product is a strong IT GRCM offering with the ability to support non-IT requirements. Although Rsam doesn't have