momius - Fotolia
Compliance professionals know that governance, risk and compliance efforts don't often get the appropriate level...
of consideration when it comes to securing investment dollars for software tools and new funding for process improvements. Many organizations will instead prioritize technical tools or tools that are directly business-visible when it comes to investments.
This puts compliance professionals in a precarious position. They are already under pressure from the number and complexity of current regulations, and there are also new regulations on the horizon that make accessing the right tools imperative. Yet, the investment dynamics make it challenging for a practitioner to get those tools.
One way to help mitigate this is to use free and open source tools to automate portions of governance, risk and compliance (GRC) activities. Open source, free GRC tools have advantages from a procurement standpoint.
Nothing will completely remove implementation costs -- no matter how much the software costs, someone needs to install and configure it -- but the initial budget hit will be small and require little or no upfront investment. This can mean that compliance professionals have access to a tool their organization would otherwise have to buy that they can instead use in the short term in parallel to the budget cycle.
There are a few options of open source tools that may help some elements of GRC. Every tool won't be appropriate for every organization, and there are dozens, if not hundreds, of others. However, let's focus on seven free GRC tools that can have an immediate benefit to GRC efforts in the majority of organizations: audit management, control validation and resources for the cloud.
Low-cost audit management
Audit management systems (AMSes) can be a boon for an organization's GRC program for a few reasons. Not only do they provide a central repository for internal and external audit findings, but they also can streamline other aspects of the audit process, such as workflow and evidence gathering. But commercial systems are usually pricey.
In a pinch, however, open source project management and bug-tracking tools can fulfill many of the same functions as a commercial AMS.
Some of the free GRC tools in this category are Redmine, OTRS and MantisBT, all of which are open source issue tracking, documentation and workflow platforms.
Redmine's features include support for multiple simultaneous projects; ticket creation and resolution workflow; wiki and other collaboration capabilities for team coordination; issue tracking; built-in project management features, like Gannt charts; and file management. A bug and feature tracking tool like Redmine -- which is included in the default repository of distributions like Debian -- can be customized and used for many of the same purposes as an AMS. This includes managing issues, tracking remediation progress, retaining a record of work effort such as audit workpapers and general internal information sharing.
For example, the screenshot below illustrates how you might create a new project within Redmine to track a discrete audit task, such as testing validation activities for an audit of a hybrid cloud virtual environment.
Applying a bit of creativity, compliance professionals can not only manage workflow, but also track management responses to observations, evidence and evidence-gathering procedures and record workpapers in one place as they are produced.
Many other issue trackers provide this functionality beyond Redmine. For example, organizations might instead prefer a similar tool like OTRS or MantisBT.
OTRS includes ticket creation and resolution workflow, team chat and collaboration capability, issue resolution history and a mobile-friendly UI. The OTRS ticketing system enables users to document action steps as they happen so they can be referenced for auditing purposes.
Automated OTRS process management features can help with data privacy regulation management by ensuring data management rules control how sensitive information is handled and processed throughout its lifecycle.
The Mantis Bug Tracker's features include ticket creation and resolution workflow, notifications, identification of the specific files causing issues and customizable reporting features.
Redmine, OTRS and MantisBT are noteworthy because they offer significant flexibility and customization in how issues are tracked and workflow support.
You won't get all the comprehensive features of a commercial AMS with an approach like this since these are designed around a specific use case. But 80% of the functionality is usually better than 0% when you can't get traction any other way.
Low-cost control validation
One of the many GRC program challenges, regardless of size, is the ongoing management and validation of the technical controls implemented to enforce policy decisions. Implementing a control as a risk management decision is one thing; being able to prove that it's working is another.
Some of the tools used for asset management can be co-opted to provide data on technical control operation, similar to functionalities found in IT GRC tools.
A couple of these tools that are worth noting include OpenVAS, or Open Vulnerability Assessment System, an open source vulnerability scanning tool, and GLPI, an open source asset management and inventorying tool.
OpenVAS features include parallel scanning, web UI, customizable scan reporting, performance tuning capabilities, intuitive dashboard and prioritization of issues based on severity.
A tool like OpenVAS can validate the efficacy of system configuration processes, and its patch management controls work intuitively. This ensures that systems are configured in a hardened manner, configuration standards are applied appropriately and software is kept at the anticipated patch level. You can also use asset management-focused tools to help in a similar vein.
GLPI features include inventorying of virtual or physical hosts, ticket management capabilities, knowledge base creation and project management assistance.
Asset management tools like GLPI also can provide configuration-related details that can support auditing, such as software inventory on the host or other information not available during a vulnerability scan.
Resources for the cloud
This last example isn't a software tool, but still can be a useful addition to most organizations' GRC program.
Many companies make heavy use of the cloud. Cloud Security Alliance provides a suite of related resources in its GRC Stack that can be useful when it comes to assessing, validating and otherwise ensuring that cloud is employed in a manner commensurate with your organization's risk tolerances.
While all of the subareas within GRC Stack are useful, two are particularly helpful: Cloud Controls Matrix is a matrix of controls applicable for cloud environments, and Consensus Assessments Initiative Questionnaire (CAIQ) is a questionnaire that uses CCM for cloud vendor information gathering.
CCM and CAIQ would be good options for organizations focused on improving their GRC program's effectiveness and maturity.
CCM provides a list of controls that are applicable within a cloud security context, mapped to many of the regulations in an enterprise's compliance scope. CCM can be directly integrated into cloud providers' risk management reviews or used to connect organizational compliance with regulatory requirements.
CCM is composed of 133 control objectives that are structured in 16 domains covering several aspects of cloud technology. It can be used to help assess a cloud implementation's success and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.
CAIQ is a standardized information-gathering questionnaire that includes key questions to ask cloud vendors during risk reviews. This questionnaire can be incorporated directly into an organization's GRC program and used as part of vendor risk reviews and evaluations. This can be done either as a supplement to other information-gathering activities -- like organization-specific vendor questionnaires or generic questionnaires, like the Shared Assessments Standardized Information Gathering -- or as the sole information gathering vehicle for cloud providers. There are plenty of free tools that can streamline an organization's GRC program. Employing free GRC tools to help provide much of the same functionality as commercial tools will come in at a fraction of the cost. It may take some creativity and customization to adapt the tools to your usage, but they can provide just as much value to GRC efforts.