Social Network For Security Executives: Help Make Right Cyber Security Decisions
My company uses the StandardFusion GRC tool as a “single source of truth” for managing all aspects of an organization’s security program. We configured the GRC tool by mapping controls back to security policies and standards so that it is clear how an organization complies with whatever standard (HIPAA, GRPD, ISO2700x,…) they are measuring against. It's easy to use and produces great reports. Happy to provide more details if you like.
There are so many different GRC software solutions available, so, choosing the right one can be really difficult. Do you really know what to achieve with this solution? Do you really know which projects, workflows, and processes are in scope before starting a tool acquisition process? Because GRC tools are good for automating the existing working processes. And if you don’t have a risk assessment, for example, buying a GRC tool is not going to give it to you.
There have been suggestions about products that fulfill only part of your requirements. The notion that a GRC tool is only about managing compliance workflow but forget about things like risk assessment. It's true, the suggested solutions are limited and do not fully address the entire life-cycle of your GRC program. I'm here to tell you that there is a solution actually doing it.
We use Continuum GRC for our compliance and audits, risk assessments and management, policy and governance development and management. For example, we use Continuum GRC to create our FedRAMP SSP and all the security documentation for our certification. The auditors then use what we have in this SaaS solution attaching evidence in the systems blockchain for chain of custody evidence management. We schedule input from people, generate documentation and reports and everything needed to support or whole mission-not just a part of the mission. Even better is that Continuum GRC automaps to every other framework and easily does so for emerging standards.
The Continuum GRC solution was fully deployed in 24 hours. They are currently going through a FedRAMP High certification and already have HIPAA, PCI, SOC 2, GDPR and CCPA accreditations on the solution. No other solution out there can say that.
For what it is worth ..
There are many IT GRC tools and you could compare them and see what best suits your requirement.
You can compare them based on capabilities for
Here is a quick comparison between RSA Archer, Metric Stream GRC & Lockpath: Click Here
There is no best platform, each of them have their strengths and weaknesses. SAI is good, as are many others, ServiceNow is also there, there are many others.
What you want to do is make sure your implementation is simple in nature, if you want people participating in risk management as such. And make it easy and intuitive if you want to be able to manage things in the future.
Whatever platform you choose, I would advise having a resource on board, if this is a new initiative, it will be a long journey, with many iterations over the next two years.
There are good GRC tool available in industry today such as Archer & Metric Stream and all of them are almost equal in terms on functionality. In order to decide which one to choose, it is important to understand the requirement and identify which workflows, and processes to be automated. To achieve value out of GRC tool, the implementation needs to be customized as per requirement and continuous maintenance will determine the result.