Sunday, August 22, 2010

IT-GRC ( Governance Risk and Compliance) Tools - 2010

I have updated this list (October 2011), you can find the recent copy @ this URL:
http://security.24kasim.org/2011/10/itgrc-software-vendors-2011.html

Here is the 2010 version:
-----------------------------------------------------------------------

I stand by my statement that IT-GRC does not stick due to several reasons.

My previous posts with risk management frameworks and tools are at this link (I will update risk management tools next month)

Currently there are 4 types of companies at IT GRC market:
1- IT-GRC vendors: IT Risk Management solutions with integrated workflow and compliance features.
2- Enterprise GRC vendors: Audit driven ERM tools expanding into IT GRC space
3- Glorified Access Control Tools: This is the world of SAP, Oracle and the related vendors ( note to the vendors - GRC is not SoD)
4- Compliance Management Tools (without risk focus)

There are a lot of changes in the market. Market is not as colorful as 2009. I think the main reasons are:
1- Global market for pure IT-GRC vendors are still around $120M /year.
2- Entry to market is not very difficult

Big News are:
CA killed the whole GRC Manager line.
Archer was acquired by RSA (of EMC) - 04-Jan 2010
Compliance Spectrum is now history.


Before moving forward, please remember that Excel is 'by far' the most common application in IT-GRC market : )

IT-GRC vendors

Agiliance
http://www.agiliance.com/
RSA eGRC - Archer
http://www.rsa.com/node.aspx?id=2428
Trustwave GRC (Control Path)
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://www.symantec.com/business/control-compliance-suite
Modulo
http://www.modulo.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Lumension
http://www.lumension.com/Solutions/IT-Risk-Management.aspx
BPS
http://www.bpsresolver.com/
Avedos
http://www.avedos.com/en/home/home.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley Enterprise GRC® for IT (Requires registration to display product information :)
http://paisley.thomsonreuters.com/website/pcweb.nsf/pages/ARAE-6XLQSR
OpenPages
http://www.openpages.com/solutions/governance_risk_compliance_management_solutions.asp
IDS Scheer (GRC is a part of BPM offering)
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html 
ARC Logics  - Axentis (same company for CCH TeamMate audit)
http://www.axentis.com/Products/Axentis/ProductOverview.html
Methodware
http://www.methodware.com/grc/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/
eGestalt SecureGRC -  SaaS hosted GRC offering
http://www.egestalt.com/
Aline GRC
http://www.alinegrc.com/GRC-Platform/20/
TrueArx
http://www.truarx.com/
Easy2Comply
http://www.easy2comply.com/
SAI Global
http://www.saiglobal.com/compliance/grc-software/


There are many other tools with ERM (Enterprise Risk Management) Compliance Management, Audit and Access Control Governance feature sets.

Here is a long list of indirect GRC software providers that make auditors happy:
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
SAP (no clear IT-GRC besides Access Control - SoD)
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
Greenlight
http://www.greenlightcorp.net/index.aspx
Qumas avoids GRC term (Regulatory Compliance)
http://www.qumas.com/
Aveksa (Enterprise Access Governance)
http://www.aveksa.com/
Trintech (Financial controls- no IT)
http://www.trintech.com/
Doublecheck ERM
http://www.doublechecksoftware.com/solutions.htm
ACL - Transactional controls testing
http://www.acl.com/products/ccm.aspx
Approva (ERP Audit / SoD on steroids)
http://www.approva.net/solutions/itsecurity/
Strategic Thought (Full Service ERM)
http://www.strategicthought.com/
Open Text Governance, Risk Management & Compliance
http://www.opentext.com/2/global/sol-products/sol-pro-compliance-governance/pro-open-text-governance-risk-compliance.htm
Enablon - ERM
http://enablon.com/products/risk-management.aspx
Pentana Audit Work System (risk Audit)
http://www.pentana.com/products.asp#PAWS
Grant Thornton - Compliance Management - GT acquired  Avalion Consulting ComplianceSet solution
http://bit.ly/9bvCFB (Long URL shortened)
Incom Enterprise Risk Mgr ISO 31000
http://www.incom.com.au/products.asp?ID=407
EIQNetworks SecureVue also avoids the GRC acronym
http://www.eiqnetworks.com/products/SecureVue.shtm
Brinqa brings privacy, identity and vendor management http://www.brinqa.com/solutions
SecurityWeaver (SoD tool) http://www.securityweaver.com/Products_Separations_Enforcer.asp
ControlpanelGRC - SOX compliance for SAP users http://www.controlpanelgrc.com/
Xpandion SAP Security - http://www.xpandion.com/


IT-GRC software make our lives more organized but we should not skip the motto of the CSI audit people : " ‘A fool with a tool is still a fool’"