Feature

GRC Tools Help Manage Regulations

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."

Download it now to read this article plus other related content.

You can link evidence with particular answers as well. For example, to support a response to a questionnaire about authentication, you can attach evidence in the form of policy, an export of the appropriate group policy objects governing password characteristics, and so on.

This ability to associate evidence with questionnaires should please auditors, who require proof of a particular control, rather than simply validating that a governing policy exists.

Auditors will also appreciate the ability to generate remediation plans for particular assets based on the results of the questionnaires. The remediation guidance provided for each of the assets in scope is concise, yet thorough.

Risk Manager facilitates governance of vendors and external relationships in a way the other products do not. For example, Risk Manager ships with the ability to perform a risk assessment using the Financial Institution Shared Assessments Program Standardized Information Gathering questionnaire. It also allows you to create "perimeters" (nodes on the organizational tree) for vendors and third parties. While the other products can be configured to do similar things, native support for FISAP out of the box is a real plus for organizations who use Risk Manager in an auditing context.

Other questionnaires can be assigned to assets within the vendor perimeter. This enables

    Requires Free Membership to View

you to keep track of assessments performed of a particular vendor, the evidence collected during the assessment, the vendor's compensating controls, etc.

Modulo's Weaknesses
Risk Manager has a few rough edges. First and foremost, the lack of a fully functional Web interface is a significant drawback. While questionnaires can be submitted over the Web, a portal view of the application (including a Web-enabled dashboard) was a sorely missed feature and would provide quite a bit of benefit.

Additionally, installation was challenging; the application has very specific installation prerequisites, and any failure of the installation process (due, for example, to lack of a prerequisite, insufficient memory or a populated database instance) resulted in an error message that required technical support to interpret.

Further, the product appears to be difficult to customize. For example, some of the built-in databases (such as the threat database) are static, precluding user customization.

This was first published in June 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: