Compliance professionals know that governance, risk and compliance (GRC) tends to get short shrift when it comes
to securing investment dollars for software tools and new funding for process improvements.
Some of the tools used for asset management can be co-opted to provide data on technical control operation.
This puts compliance professionals in a precarious position, considering the number and complexity of regulations on the rise. You can do nothing, or you can look for ways to "short circuit" the spending cycle and gain efficiencies despite minimal investment dollars.
One way to do this is to leverage free and open source tools to automate some aspects of GRC. Open source tools have advantages from a procurement standpoint. Nothing will completely remove implementation costs, because no matter how much the software does or doesn't cost, someone needs to install and configure it. But the fact that the initial "hit" is soft vs. hard dollars can make it easier to get deployment traction.
Of course, these tools won't be appropriate for every organization. But, at least for some purposes, they can serve as well as, if not better than, their commercial counterparts.
#1: Low-cost audit management
Audit management systems (AMS) can be a boon for an organization's GRC program for a few reasons. Not only do they provide a central repository for internal and external audit findings, but they also can streamline other aspects of the audit process such as workflow and evidence gathering. But as most organizations that have looked at them in-depth will tell you, commercial systems are usually fairly pricey.
In a pinch, however, open source project management and bug-tracking tools can fulfill many AMS functions. Specifically, tools like OTRS, Redmine and Mantis, when customized, can be used for many of the same purposes as an AMS: managing issues, tracking remediation progress, retaining a record of work effort, etc. With a bit of creativity, this can include managing workflow, tracking management responses to observations and tracking evidence and evidence-gathering procedures. Of course, you can use pretty much any issue tracker to do much of this. We've singled out the three products above because they offer significant flexibility and customization in how issues are tracked and supporting workflow.
Granted, you won't get all the comprehensive features of a commercial audit management system with an approach like this. After all, an AMS is designed around the specific use case -- but 80% of the functionality is usually better than 0% when you can't get traction any other way.
#2: Low-cost control validation
One of the many GRC program challenges, regardless of size, is the ongoing management and validation of the technical controls implemented to enforce policy decisions. Deciding to implement a control as a risk management decision is one thing; being able to prove that it's working is another.
Some of the tools used for asset management can be co-opted to provide data on technical control operation, similar to functionalities found in IT GRC tools. Open source tools like the asset management-focused GLPI can provide a great deal of configuration-related data that can be used either directly to support your GRC program's risk management functions or to support compliance activities like auditing. Other asset management and inventorying tools can be used to do this, but the advantage of GLPI is the extensive directory of plugins available, including links into other inventorying products.
#3: Resources for cloud
This last example isn't a software tool, per se, but still can be useful to most organizations' GRC program. Most companies are making use of the cloud, some more significantly than others. The Cloud Security Alliance (CSA) provides a suite of related resources grouped together under the "GRC Stack" that are very useful for integrating cloud into your GRC program.
While all of the sub-areas within the GRC Stack are useful for organizations, the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ) are particularly helpful for organizations focused on improving their GRC program's effectiveness and maturity. The CCM provides a list of controls that are applicable within a cloud security context, mapped to many of the regulations in an enterprise's compliance scope.
More on GRC tools
These regulations include those coming out of the Payment Card Industry Data Security Standard (PCI DSS), the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corp. (NERC), for example, as well as compliance frameworks like ISO 27001 and COBIT.
The CCM can be directly integrated into cloud providers' risk management reviews or used to connect organizational compliance with regulatory requirements. The CAIQ is a standardized information-gathering questionnaire that includes key questions to ask cloud vendors during risk reviews. This questionnaire can be incorporated directly and used as part of vendor risk reviews and evaluations.
There are plenty of tools out there that can streamline an organization's GRC program. Unfortunately, many of these tools cost money that can be difficult to secure when talking about a less business-focused area like GRC. However, there are some opportunities to pick up free and lower-cost GRC tools to help provide much of this functionality at a fraction of the cost. It just takes a bit of creativity.
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.