Thursday, December 8, 2011

Mapping Controls: Challenges, Opportunities, Surfing

One Man's Challenge.

Mapping controls is all the rage (pun) and today's faddish exercise. Come on. You know you want some of that. Can you think of anything more fun than trying to find all of the standards, regulations, vendor guides, best practice documents, and Christmas Cookie recipe books?? How about actually reading them?? And then creating a massive spreadsheet mapping (your best) interpretation of what (you think) might be individual controls across each of them so that you can track your compliance? And... wait for it... just as we're getting started in all of this, don't forget that every good corporate citizen is intimately familiar with the policies you've painstakingly written and tracked back to each authority document.

Is Another Man's Opportunity.

Enter the likes of the IT Unified Compliance Framework (ITUCF) (with their nice snazzy website update over the last year..). Their objective early in the game several years ago was to identify and correlate authority sources and documents from government agencies, standards bodies, and vendors. Massive undertaking. Simply massive. This is the classic case of how to put an elephant to sleep. Read one authority document at at time.

Opportunistic entrepreneurs and vendors created software tools to help manage the C in GRC. Many leverage (license) in whole or part the work of the ITUCF. Some target the entire enterprise, and others only IT. Consider the following from the well respected Michael Rasmussen of Corporate Integrity:
"The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain."
Enjoy the Wave Dude. Enjoy the Wave.

OK - So maybe it's not perfect, or you consider it biased, or have some other stigma that prevents you from enjoying the Magic Carpet Ride that is the Forrester Wave. I personally don't have the time to learn about every technology niche and vendor play. The summaries are fantastic. I've learned to filter the content and appreciate the organization. The best part? Someone else does the work, and the winner of whatever contest is showcased usually pays for your right to view the content. Why? Because they paid someone off? Or because they are thrilled with the results and want to showcase their peer praise to the world? Enjoy the Wave. It's a short ride.

And on the Short List.

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
ARC Logics, BWise, Compliance 360, Enablon, IBM OpenPages, Mega, Methodware, MetricStream, Protiviti, RSA Archer, SAP, SAS, Thomson Reuters
The Forrester Wave™: IT Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
Agiliance, ANXeBusiness, ControlCase, Easy2Comply, Modulo, RSA Archer, Rsam, Symantec

Please note
(1) There may be perfectly suited vendors that are NOT on this list because they address your particular market niche, pain point, or existing entrenched people/processes/technologies. 
(2) Plugging my Parent Company, EMC. RSA Archer was the only vendor listed as a Leader in both enterprise and IT GRC tools. I know the product well, know parts of the roadmap, and I really like what I see here. 
(3) Links to the Wave documents lead to RSA because of licensing. No registration required. Just click on the direct link on the right side of the landing page.