Sunday, August 16, 2009

IT Governance, Risk and Compliance (ITGRC) Tools August 2009

For 2011 list follow this link

Here are the updated links for the IT-GRC vendors, IT-GRC wanna be GRC vendors, and some IT based risk management tool/software providers.

There is still a thin line between IT, Financial and ERP GRC solution providers.

I have noticed that SAP has created its own GRC context where GRC means a lot of other things... SoD- Segregation of Duties, entitlements management, users access/authorization for applications/transactions, audit managment, role management etc.Basically a dull extention of IT audit controls. SAP's Virsa and SUN's Vaau acqusitions are good examples of this trend. That is not GRC -- that is mediocre IT controls audit. The term GRC is used without any consideration. This statement is also valid for the other usual suspects l(Oracle, PeopleSoft, Hyperion, JD Edwards,)

Here is a quick M&A update from last post:
Brabeion is acquired by Archer (Big News)
Controlpath is acquired by Trustwave.
Paisley is acquired by ThomsonReuters
Iconium is acquired by Logicalis
IBM dropped their own suite and working with Modulo
Favored GRC has a new name Highpoint GRC
Achiever is gone
I looked at ACL, Approva,Aveksa,Opentext,SecurityWeaver, Xpandion, Spatiq solutions,, I will be checking these vendors in the future, these solutins tend to manage ERP security only)..


IT-GRC solution Providers:

Agiliance
http://www.agiliance.com/
Archer ( acquired Brabeion)
http://www.archer-tech.com/solutions/index.html
Trustwave GRC
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_control_compliance_suite_9.0-11_2008_14121573.en-us.pdf
Compliance Spectrum
http://www.compliancespectrum.com/
Modulo
http://www.modulo.com/home.jsp
NeIQ
http://www.netiq.com/solutions/scm/default.asp
eIQ Networks SecureVue
http://www.eiqnetworks.com/products/SecureVue/SecureVue_Technology.shtml
CA GRC
http://www.ca-grc.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Logicalis grace (acquired Iconium Assets)
http://www.uk.logicalis.com/business_issues/governance_grace.asp
Lumension (acquired Security-Works)
http://www.lumension.com/landing.spring?contentId=154643
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
Proteus
http://www.infogov.co.uk/proteus_enterprise/index.php
BPS
http://www.bpsinc.com/
Avedos
http://www.avedos.com/257-Home-EN.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley (now Thomson Reuters)
http://www.paisley.com/
OpenPages
http://www.openpages.com/Solutions/Technology_17.asp
Qumas
http://www.qumas.com/products/index.asp
IDS Scheer
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html Axentis
http://www.axentis.com/offerings/solutions/itgovernance
Methodware
http://www.methodware.com/it-security/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
McAfee Risk and Compliance Manager (formerly McAfee Preventsys),
http://www.mcafee.com/us/local_content/white_papers/dashboard_reporting_it_grc.pdf
Greenlightcorp (SAP GRC)
http://www.greenlightcorp.net/sap_grc_cross_platform.html
Trintech -Financial GRC only
http://www.trintech.com/
SAI global
http://www.saiglobal.com/compliance/grc-software/
SAP
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
eFortresses
http://www.efortresses.com/Compliantz.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/news.asp

There are also dedicated Risk Management Tools which will soon identify themselves (maybe they already do) for IT GRC marketspace
Callio
http://www.callio.com/
Casis
http://www.clearpriority.com/ (clearpriority)
Strategic Thought Active Risk Manager
http://www.strategicthought.com/riskmanagement.html
Cobra
http://www.riskworld.net/
Citicus
http://www.citicus.com/oursoftware.asp
Alion – Countermeasures (makers of Buddy System)
http://www.countermeasures.com/
Siemens – CRAMM
http://www.cramm.com/
Acuity Stream
http://www.acuityrm.com/
EAR/Pilar
http://www.ar-tools.com/en/index.html
GStool (mainly German)
https://www.bsi.bund.de/cln_136/EN/topics/ITGrundschutz/ITGrundschutzGSTOOL/itgrundschutzgstool_node.html Sigea GxSGSI (this site is in Spanish only)
http://www.gxsgsi.es/
RA2
http://www.aexis.de/index.php?site=static&staticID=4
RiskPAC
http://www.cpacsweb.com/riskpac.html
Risicare (French)
http://www.risicare.fr/
Riskwatch
http://www.riskwatch.com/
ISmart
http://www.biznet.com.tr/english/ismart_info.htm
Resolver
http://www.resolver.ca/
RMStudio
http://www.riskmanagementstudio.com/
RiskConnect
http://www.riskonnect.com/riskonnect_products.html
PTA Risk Assessment Tools and Technology
http://www.ptatechnologies.com/
Avedos Risk2Value
http://www.avedos.com/111-Short-Facts.html
Non-IT Risk Software
http://www.riskworld.com/SOFTWARE/sw5sw001.htm

I still need time to add URL links for the well known risk assessment methodologies. A little bit googling will take you to the right resources if you want to build your won system using a methodology or a framework.
Methodologies for Risk Assessment and Management listed below can be used at IT operations... Endless discussion for quantifying the risks... I like ISO 27000 series to lead, but each case is different.

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems - National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA - Practical application of risk analysis
PTA - Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM - British Office of Government Commerce or The CCTA's (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI - Club de la Sécurité de l'Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP - Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

There are also Compliance Management/SIM/SIEM solutions which partially present GRC.
Here are a few links:

Tivoli Security Compliance Manager
http://www-01.ibm.com/software/tivoli/products/security-compliance-mgr/
Novell Compliance Management Platform
http://www.novell.com/products/compliancemanagementplatform/
Easy2comply (formerly Dynasec)
http://www.easy2comply.com/
AlertLogic
http://www.alertlogic.com/
NetForensics
http://www.netforensics.com/compliance/
Arcsight
http://www.arcsight.com/solutions/solutions-compliance/
RSA enVision
http://www.rsa.com/solutions/compliance/datasheets/9373_ISOENV_DS_0408-lowres.pdf
Intellitactics
http://www.intellitactics.com/int/solutions/compliance.asp

Actually all SIM SIEM vendors have a compliance management solution. For their list you can check the following post:
http://security.24kasim.org/2008/12/differentiation-of-log-management.html