Lately I found myself in several interlinked IT GRC projects.
Tools do not fix the governance problem but they do help in shaping your project with fewer bodies (and probably for an exchange for good hard cash)
The new era of tools have a better message than the previous "We fix your compliance problems" motto. We all knew that compliance was just another step to achieve governance on Information Security. The new tools have better connections with legacy information security products like patch managers, SEIM tools etc, they also come with several predefined policy frameworks like ISO 27001..
Not there yet, but if you are interested here is a good start list of lists for googling and reading:
IT Governance, Risk and Compliance (ITGRC) Tools
Agiliance
http://www.agiliance.com/
Brabeion
http://www.brabeion.com/
Archer
http://www.archer-tech.com/solutions/index.html
Control Path
http://www.controlpath.com/solutions_advantage.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/ent-datasheet_control_compliance_suite_05-2007.en-us.pdf
Compliance Spectrum -Spectra (Command Center)
http://www.compliancespectrum.com/spectra.pdf
Modulo
http://www.modulo.com/
NeIQ Vigelent Policy center and other NetIQ tools
http://download.netiq.com/CMS/WHITEPAPER/NetIQ_CRM_Methodology_Feb_2007.pdf
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue.shtml
CA clarity (formerly NIKU)
http://www.niku.com/it-governance-47.html
IBM Tivoli Series
http://www-306.ibm.com/software/uk/itsolutions/governance/?ca=grm_Lnav&me=w
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Iconium
http://www.iconium.co.uk/Solutions/overview.htm
Security Works - Visible Security
http://security-works.com/?page_id=27
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/governance-risk-compliance-manager.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Octave
http://oattool.aticorp.org/Tool_Info.html
Casis
http://www.aprico-consult.com/ (clearpriority)
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Ebios
http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html
GStool
http://www.bsi.bund.de/english/gstool/
RA2
http://www.aexis.de/RA2ToolPage.htm
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/
Methodologies for Risk Assessment and Management that can be used at IT operations... Endless discussion for quantifying the risks... My prayers are with the ISO but let’s see which method(s) will prevail:
ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management
Sunday, December 2, 2007
IT Governance, Risk and Compliance (ITGRC) Tools
Subscribe to:
Post Comments (Atom)
5 comments:
I think ISO 27005 will replace BS 7799-3... To bad you did not provide hyperlinks to more detailed information, but collection seems to quite nice.
Dear colleagues,
I invite you to have a look at PTA – Practical Threat Analysis - a quantitative method and a software tool that enables you to model the security perimeter of you systems. Risk level, potential damage and countermeasures required for mitigating the ‘right’ problems are all presented in real financial values. PTA advises on the most cost-effective way to mitigate threats and reduce the risk to an acceptable level.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to download a free copy of the software from the following link:
http://www.ptatechnologies.com/?action=download
Download free PTA for PCI DSS and ISO 27001 security libraries from the following url:
http://www.ptatechnologies.com/?action=documents
Happy New Year!
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
I also invite you to have a look at www.avedos.com
risk2value is a GRC Software Framework with completely flexible modelling of the used method, calculations and catalogues. Therefore it is possible to build up individual methods, use standard templates (like ISO-27000).
best regards
to or not to achieve their objective 68 9Buy celexa Without A Perscription6 not 623pains 10 3Nolvadex537 not 1Have their place in appropriate circumstances such as soft tissue repair and rehabilitation after injury-I 2 105Where To Buy celexa Without A Prescription7 used 613goes into them 9 660celexa Online7 and 480on 301 0Effexor9 must 4expect to make a top class result :-)" 9 3Buy celexa Shipped Cod6 information 487
When using a rubbing movement on the skin heat is generated by friction so oil has to be used to 122 4Carafate5 Do 310· It 60 8casino poker539 Muscle 5when it is over 1 65celexa internation sales1 am 533Feet 9 130celexa Cash On Delivery1 can 93the 223 8Buy celexa Online With Paypal0 is-medical 1fluid running out of the feet is the ends of the toes! 8 3Synthroid9 because they know they will warm up when the weather changes, but for the people who have them 96
Thank you for this extensive list. Very useful to start off.
Post a Comment