Seven considerations when evaluating automated GRC tools

Automated tools can help ease the compliance burden, but financial services firms must first weigh their needs. In this tip, David Strom looks at the top considerations when looking into buying a GRC tool.

There is no shortage of tools to help financial services firms automate their governance, risk and compliance (GRC) requirements. Gartner Inc. earlier this year estimated the total market for GRC tools at $117 million in 2009, and predicted that it will have steady but slow growth for the near term.

As the number of regulations on financial services firms increases, these GRC tools are becoming essential to sort out the various reports demanded by government agencies, as well as a means of being more proactive. Most of the products provide simple dashboards that show at a glance which parts of an organization are in compliance with particular regulations.

Getting started

If you're just starting on the GRC path, a good place is the site Open Compliance and Ethics Group. There you'll find lists and links to GRC vendors, documents to try to standardize on an XML schema for GRC reporting and interoperability purposes, and tools to evaluate potential GRC offerings. Basic membership is free.

Another useful source is the Unified Compliance Framework, a model that was first developed by Network Frontiers LLC and the law firm Latham & Watkins LLP and is used now by most GRC vendors to keep track of more than 400 compliance regulations. This framework helps manage conflicting and overlapping compliance requirements and makes it easier to apply a consistent and unduplicated view across regulations such as SOX, GLBA, HIPAA, PCI, and other standards that influence IT policies and procedures.

Many IT and risk managers get their start with GRC analysis by using a simple spreadsheet to track risks and security policies. But that isn't a very scalable or reliable approach, and it is very labor-intensive and error-prone. A far better strategy is to use an automated GRC assessment tool that works by collecting information from your existing IT security apparatus -- firewall configuration logs, vulnerability scans, databases containing customer information and the like. These tools then identify the gaps and can be used by auditors or compliance consultants to bring about greater legal compliance and reduced risk.

Vendors offering GRC tools include: Agiliance Inc. (RiskVision), Archer Technologies (acquired earlier this year by EMC Corp.), Wolter Kluwer's ARC Logics unit (Axentis), BWise Inc. (GRC Platform), eGestalt Technologies Inc. (Secure GRC), Global Velocity Inc.(GV-2010), Lumension Security Inc. (Risk Analyzer), MEGA International (MEGA Suite), MetricStream Inc. (GRC Platform), OpenPages Inc. (General Compliance Management), Thomson Reuters (Paisley Enterprise GRC); QUMAS Inc. (Compliance Solution), Relational Security Corp. (rSam) and Symantec Corp. (Control Compliance Suite).

Before you dive in to evaluate any of these automated tools, here are seven questions to answer that can help shape your analysis:

  1. How does your existing security apparatus integrate with your intended GRC tool? Some of them, such as Rsam and Agiliance, have connectors that can directly import vulnerability scans from more than a dozen different products such as Qualys or Nessus. Others require you to parse them via XML, SQL queries or comma separated files that can take a lot more time.
  2. Do you want a common framework for identifying risk across all your outward-facing enterprise applications? It may not be necessary if just one department is responsible for most of your response. On the other hand, if you have conflicting risk assessments being conducted by different departments, a common ground may be useful to speed up the questionnaires that are all part and parcel to these products.
  3. How flexible and understandable are the reporting sections? It helps to preview this section and understand how much work is needed to produce reports that will make sense to your analysts and executives.
  4. How does the escalation process work when there is a compliance or risk problem and who is ultimately accountable for resolving it? The chosen tool should help this process and have some integrated workflow. It should also be relatively easy to incorporate into your existing authentication schema, such as Active Directory or LDAP.
  5. How much of the vendor's revenue is from software sales versus service? If you are looking for a product that is easier to use and deploy, consider primarily software sales-driven vendors. If you want to pay for consultants and configuration, choose the latter.
  6. Do you want on-premises software or SaaS? Some products, like Agiliance, come in both configurations; some like eGestalt come only in hosted versions. The latter may be easier to setup and configure and could also cost less, depending on your circumstances. But some companies aren't comfortable with cloud-based services and still prefer on-premises tools for these tasks.
  7. How many pre-set templates come in the box? Some products take the questionnaires from the various compliance regulations and directly incorporate them into their software. Others, such as Global Velocity, don't come with many templates.

As you can see, there is a lot involved in these GRC tools, both in terms of the evaluation as well as in the implementation. Expect these tools to mature over the next several years as demand continues to increase, and also to see GRC features incorporated into existing security devices.

About the author:  David Strom is a freelance writer, product reviewer, professional speaker and podcaster based in St. Louis. He has written on networking topics for more than 20 years and was the former editor-in-chief of Network Computing, Tom's Hardware.com, and DigitalLanding.com.

Dig Deeper on Managing compliance operations