This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
The product also ships with many benchmark standards to evaluate against, to ensure that appropriate patches are applied and that appropriate configuration steps are taken.
CCS also ships with network mapping capability that allows automatic discovery of devices, which can then be imported into the risk management and asset management view.
We expected CCS to perform very strongly in technical controls validation, but were unprepared for the product to perform equally well in policy and risk management. We were pleased to see the range of technical standards and regulatory frameworks that the product ships with: multiple versions of COBIT (both 3 and 4), FDA regulations, FISMA, HIPAA, NERC (North American Electric Reliability Corp.) guidance and NIST SP 800-53 were all included.
CCS allowed us to import Symantec's questionnaires using content packs or create our own. We used the tool to create an ad hoc vendor evaluation, and found the process painful.
Each questionnaire is represented as a tree view to which questions
| are added. Questions can require single or multiple-choice answers, or written responses. Creating a questionnaire required us to manually enter a large number of customized answers (the templates, which were fine for yes/no questions, rarely supplied the answers we needed).
Once the questionnaire was complete, we used a wizard to assign weights to each of the questions and answer choices. All told, the process took us about an hour to create a 20 questions. If you're planning to make extensive use of this functionality, we recommend using the content packs that supply stock questionnaires rather than creating customized questionnaires from scratch.
Many vendors in the GRC space try to take the "boil the ocean" approach by being everything to everybody. Not Modulo. It doesn't have the compliance-framework creation and policy-centric features of Archer, or the technical control validation capabilities of Symantec. Instead, Modulo's aptly named Risk Manager focuses almost exclusively on the risk aspects of the GRC equation. The functionality within the other areas of GRC serves only to support the risk management mission.
Risk Manager does not have a Web front end (although you can submit questionnaires via the Web), and relies on a number of client-side applications to implement various features.
The installation process gave us quite a bit of trouble initially. Insufficient RAM on the first few lab machines we attempted to install caused the installer to fail (the test machines had double the memory requirements specified in the manual). However, with some coaching from the Modulo engineers--followed by a hardware upgrade beyond the recommended requirements--we completed the installation.
This was first published in June 2008