GRC Tools Help Manage Regulations


This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."

Download it now to read this article plus other related content.

These questionnaires targeted specific controls that have an impact on the overall risk of the application and include factors like vulnerabilities, cryptographic controls, access control, and so on. The responses to the questionnaires fit directly into the overall risk ascribed to the application. The workflow ensures that appropriate personnel review the submission and are alerted if it is completely noncompliant.

In navigating and using SmartSuite, we found the Archer community to be head and shoulders above what you typically get with a vendor knowledge base or other support portal. The community allows users to interact with each other, ask questions of the Archer engineering team, and receive extensive training on use and configuration of the product.

Archer's Weaknesses
While the product was very strong in policy and risk management, the more technology-centric pieces are not as automated as the other products. There's no autodiscovery function--you add assets by submitting a spreadsheet. While this will satisfy the needs of many organizations, larger firms with extensive asset inventories may find this process error-prone and difficult to maintain.

Monitoring technical controls is also less automated than some of the competition. Archer provides instructions on how to create linkages between automated vulnerability assessment

    Requires Free Membership to View

tools (e.g., Qualys), but automated vulnerability assessments may not give you the whole picture. There's little out-of-the-box integration of additional tools, such as other vulnerability assessment scanners, IPSes, SIEMs, etc., but you can use the flexible API to allow custom data consumption applications to be written using feeds from files/databases, etc.

One nice feature lets you correlate information from a number of threat publication sources, such as Verisign iDefense and Symantec DeepSight, in addition to custom entry of threat data.

While Archer is heavy on policy management, Control Compliance Suite 8.60 (CCS) has a deep focus on the management and monitoring of technical controls, providing quite a bit of functionality to assist in tasks like network discovery, automated validation of host technical configuration, and so on.

The software can be installed in standalone or enterprise mode, depending on whether you intend to host the database on the same box as the information server or use a different box for the database. Additionally, enterprise mode is required if you intend to make use of the Web portal integration with Microsoft IIS. We installed the product in enterprise mode, as this allowed access to the Web portal and supported a remote database and remote data collection.

This was first published in June 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: