Compliance professionals know that governance, risk and compliance efforts don't often get the appropriate level...
of consideration when it comes to securing investment dollars for software tools and new funding for process improvements. Many organizations will instead prioritize technical tools or tools that are directly business-visible when it comes to investments.
This puts compliance professionals in a precarious position. They are already under pressure from the number and complexity of current regulations, and there are also new regulations on the horizon that make accessing the right tools imperative. Yet the investment dynamics make it challenging for a practitioner to get those tools.
One way to help mitigate this is to use free and open source tools to automate portions of governance, risk and compliance (GRC) activities. Open source, free GRC tools have advantages from a procurement standpoint.
Nothing will completely remove implementation costs -- no matter how much the software costs, someone needs to install and configure it -- but the initial budget hit will be small and require little or no upfront investment. This can mean that compliance professionals have access to a tool their organization would otherwise have to buy that they can instead use in the short term in parallel to the budget cycle.
There are a few options of open source tools that may help some elements of GRC. Every tool won't be appropriate for every organization, and there are dozens, if not hundreds, of others. However, let's focus on free GRC tools that can have an immediate benefit to GRC efforts in the majority of organizations: audit management, control validation and resources for the cloud.
Low-cost audit management
Audit management systems (AMSes) can be a boon for an organization's GRC program for a few reasons. Not only do they provide a central repository for internal and external audit findings, but they also can streamline other aspects of the audit process such as workflow and evidence gathering. But commercial systems are usually pricey.
In a pinch, however, open source project management and bug-tracking tools can fulfill many of the same functions as a commercial AMS tool.
Some of the free GRC tools in this category are Redmine, OTRS and Mantis, all of which are open source issue tracking, documentation and workflow platforms.
Redmine's features include support for multiple simultaneous projects, ticket creation and resolution workflow, "wiki" and other collaboration capabilities for team coordination, issue tracking, built-in project management features like Gannt charts and file management.
OTRS includes ticket creation and resolution workflow, team chat and collaboration capability, issue resolution history and mobile-friendly UI.
Mantis' features include ticket creation and resolution workflow, notifications, linkage of specific files (e.g. workpapers) to issues and customizable reporting features.
A bug and feature tracking tool like Redmine -- which is included in the default repository of distributions like Debian -- can be customized and used for many of the same purposes as an AMS. This includes managing issues, tracking remediation progress, retaining a record of work effort such as audit work papers and general internal information sharing.
For example, the screenshot below illustrates how you might create a new project within Redmine to track a discreet audit task, such as testing validation activities for an audit of a hybrid cloud virtual environment.
Applying a bit of creativity, compliance professionals can not only manage workflow, but also track management responses to observations, evidence and evidence-gathering procedures and record workpapers in one place as they are produced.
Organizations can use almost any issue tracker to do much of this. They might instead prefer a similar tool like OTRS or Mantis.
These three products are noteworthy because they offer significant flexibility and customization in how issues are tracked and workflow support.
You won't get all the comprehensive features of a commercial AMS with an approach like this, since these are designed around a specific use case. But 80% of the functionality is usually better than 0% when you can't get traction any other way.
Low-cost control validation
One of the many GRC program challenges, regardless of size, is the ongoing management and validation of the technical controls implemented to enforce policy decisions. Implementing a control as a risk management decision is one thing. Being able to prove that it's working is another.
Some of the tools used for asset management can be co-opted to provide data on technical control operation, similar to functionalities found in IT GRC tools.
A couple of these tools that are worth noting include OpenVAS, or Open Vulnerability Assessment System, an open source vulnerability scanning tool, and GLPI, an open source asset management and inventorying tool.
OpenVAS features include parallel scanning, web UI, customizable scan reporting, performance tuning capabilities, intuitive dashboard and prioritization of issues based on severity.
GLPI features include inventorying of virtual or physical hosts, ticket management capabilities, knowledge base creation and maintenance and built-in project management features.
A tool like OpenVAS can validate the efficacy of system configuration processes, and its patch management controls work intuitively. This ensures that systems are configured in a hardened manner, that configuration standards are applied appropriately and that software is kept at the anticipated patch level.
You can also use asset management-focused tools to help in a similar vein. Asset management tools like GLPI can provide configuration-related details that can support auditing, providing additional details about hosts such as software inventory on the host or other information not available during a vulnerability scan.
Resources for the cloud
This last example isn't a software tool, but still can be a useful addition to most organizations' GRC program.
Many companies make heavy use of the cloud. The Cloud Security Alliance provides a suite of related resources in its GRC Stack that can be useful when it comes to assessing, validating and otherwise ensuring that cloud is employed in a manner commensurate with your organization's risk tolerances.
While all of the sub-areas within the GRC Stack are useful, two are particularly helpful: Cloud Controls Matrix (CCM) is a matrix of controls applicable for cloud environments, and Consensus Assessments Initiative Questionnaire (CAIQ) is a questionnaire that uses the CCM for cloud vendor information gathering.
The CCM and the CAIQ would be a good option for organizations focused on improving their GRC program's effectiveness and maturity.
The CCM provides a list of controls that are applicable within a cloud security context, mapped to many of the regulations in an enterprise's compliance scope. The CCM can be directly integrated into cloud providers' risk management reviews or used to connect organizational compliance with regulatory requirements.
The CAIQ is a standardized information-gathering questionnaire that includes key questions to ask cloud vendors during risk reviews. This questionnaire can be incorporated directly into an organization's GRC program and used as part of vendor risk reviews and evaluations. This can be done either as a supplement to other information gathering activities -- like organization-specific vendor questionnaires or generic questionnaires like the Shared Assessments Standardized Information Gathering -- or as the sole information gathering vehicle for cloud providers.
There are plenty of free tools that can streamline an organization's GRC program. Employing free GRC tools to help provide much of the same functionality as commercial tools will come in at a fraction of the cost. It may take some creativity and customization to adapt the tools to your usage, but they can provide just as much value to GRC efforts.