|
You can link evidence with particular answers as well. For example, to support a response to a questionnaire about authentication, you can attach evidence in the form of policy, an export of the appropriate group policy objects governing password characteristics, and so on.
This ability to associate evidence with questionnaires should please auditors, who require proof of a particular control, rather than simply validating that a governing policy exists.
Auditors will also appreciate the ability to generate remediation plans for particular assets based on the results of the questionnaires. The remediation guidance provided for each of the assets in scope is concise, yet thorough.
Risk Manager facilitates governance of vendors and external relationships in a way the other products do not. For example, Risk Manager ships with the ability to perform a risk assessment using the Financial Institution Shared Assessments Program Standardized Information Gathering questionnaire. It also allows you to create "perimeters" (nodes on the organizational tree) for vendors and third parties. While the other products can be configured to do similar things, native support for FISAP out of the...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
box is a real plus for organizations who use Risk Manager in an auditing context.
Other questionnaires can be assigned to assets within the vendor perimeter. This enables you to keep track of assessments performed of a particular vendor, the evidence collected during the assessment, the vendor's compensating controls, etc.
Modulo's Weaknesses
Risk Manager has a few rough edges. First and foremost, the lack of a fully functional Web interface is a significant drawback. While questionnaires can be submitted over the Web, a portal view of the application (including a Web-enabled dashboard) was a sorely missed feature and would provide quite a bit of benefit.
Additionally, installation was challenging; the application has very specific installation prerequisites, and any failure of the installation process (due, for example, to lack of a prerequisite, insufficient memory or a populated database instance) resulted in an error message that required technical support to interpret.
Further, the product appears to be difficult to customize. For example, some of the built-in databases (such as the threat database) are static, precluding user customization.
|
 |
|
