E-guide

7 free GRC tools

for compliance
professionals
 7 free GRC tools for compliance
professionals

7 free GRC tools every compliance

professional should know about
Ed Moyle, Partner

Compliance professionals know that governance, risk and compliance efforts

don't often get the appropriate level of consideration when it comes to securing
investment dollars for software tools and new funding for process
improvements. Many organizations will instead prioritize technical tools or tools
that are directly business-visible when it comes to investments.

This puts compliance professionals in a precarious position. They are already

under pressure from the number and complexity of current regulations, and
there are also new regulations on the horizon that make accessing the right
tools imperative. Yet the investment dynamics make it challenging for a
practitioner to get those tools.

One way to help mitigate this is to use free and open source tools to automate
portions of governance, risk and compliance (GRC) activities. Open source, free
GRC tools have advantages from a procurement standpoint.

Nothing will completely remove implementation costs -- no matter how much the
software costs, someone needs to install and configure it -- but the initial budget

Page 1 of 9
 7 free GRC tools for compliance
professionals

hit will be small and require little or no upfront investment. This can mean that
compliance professionals have access to a tool their organization would
otherwise have to buy that they can instead use in the short term in parallel to
the budget cycle.

There are a few options of open source tools that may help some elements of
GRC. Every tool won't be appropriate for every organization, and there are
dozens, if not hundreds, of others. However, let's focus on free GRC tools that
can have an immediate benefit to GRC efforts in the majority of organizations:
audit management, control validation and resources for the cloud.

Low-cost audit management

Audit management systems (AMSes) can be a boon for an organization's GRC

program for a few reasons. Not only do they provide a central repository for
internal and external audit findings, but they also can streamline other aspects
of the audit process such as workflow and evidence gathering. But commercial
systems are usually pricey.

In a pinch, however, open source project management and bug-tracking tools

can fulfill many of the same functions as a commercial AMS tool.

Some of the free GRC tools in this category are Redmine, OTRS and Mantis, all
of which are open source issue tracking, documentation and workflow platforms.

Page 2 of 9
 7 free GRC tools for compliance
professionals

Redmine's features include support for multiple simultaneous projects, ticket

creation and resolution workflow, "wiki" and other collaboration capabilities for
team coordination, issue tracking, built-in project management features like
Gannt charts and file management.

OTRS includes ticket creation and resolution workflow, team chat and
collaboration capability, issue resolution history and mobile-friendly UI.

Mantis' features include ticket creation and resolution workflow, notifications,

linkage of specific files (e.g. workpapers) to issues and customizable reporting
features.

A bug and feature tracking tool like Redmine -- which is included in the default
repository of distributions like Debian -- can be customized and used for man y
of the same purposes as an AMS. This includes managing issues, tracking
remediation progress, retaining a record of work effort such as audit work
papers and general internal information sharing.

For example, the screenshot below illustrates how you migh t create a new
project within Redmine to track a discreet audit task, such as testing validation
activities for an audit of a hybrid cloud virtual environment.

Page 3 of 9
 7 free GRC tools for compliance
professionals

Applying a bit of creativity, compliance professionals can not only manage

workflow, but also track management responses to observations, evidence and
evidence-gathering procedures and record workpapers in one place as they are
produced.

Organizations can use almost any issue tracker to do much of this. They might
instead prefer a similar tool like OTRS or Mantis.

Page 4 of 9
 7 free GRC tools for compliance
professionals

These three products are noteworthy because they offer significant flexibility
and customization in how issues are tracked and workflow support.

You won't get all the comprehensive features of a commercial AMS with an
approach like this, since these are designed around a specific use case. But
80% of the functionality is usually better than 0% when you can't get traction
any other way.

Low-cost control validation

One of the many GRC program challenges, regardless of size, is the ongoing
management and validation of the technical controls implemented to enforce
policy decisions. Implementing a control as a risk management decision is one
thing. Being able to prove that it's working is another.

Some of the tools used for asset management can be co-opted to provide data
on technical control operation, similar to functionalities found in IT GRC tools.

A couple of these tools that are worth noting include OpenVAS, or Open
Vulnerability Assessment System, an open source vulnerability scanning tool,
and GLPI, an open source asset management and inventorying tool.

OpenVAS features include parallel scanning, web UI, customizable scan

reporting, performance tuning capabilities, intuitive dashboard and prioritization
of issues based on severity.

Page 5 of 9
 7 free GRC tools for compliance
professionals

GLPI features include inventorying of virtual or physical hosts, ticket

management capabilities, knowledge base creation and maintenance and built-
in project management features.

A tool like OpenVAS can validate the efficacy of system configuration

processes, and its patch management controls work intuitively. This ensures
that systems are configured in a hardened manner, that configuration standards
are applied appropriately and that software is kept at the anticipated patch level.

Page 6 of 9
 7 free GRC tools for compliance
professionals

You can also use asset management-focused tools to help in a similar vein.
Asset management tools like GLPI can provide configuration-related details that
can support auditing, providing additional details about hosts such as software
inventory on the host or other information not available during a vulnerability
scan.

Resources for the cloud

This last example isn't a software tool, but still can be a useful addition to most
organizations' GRC program.

Many companies make heavy use of the cloud. The Cloud Security Alliance
provides a suite of related resources in its GRC Stack that can be useful when it
comes to assessing, validating and otherwise ensuring that cloud is employed in
a manner commensurate with your organization's risk tolerances.

While all of the sub-areas within the GRC Stack are useful, two are particularly
helpful: Cloud Controls Matrix (CCM) is a matrix of controls applicable for cloud
environments, and Consensus Assessments Initiative Questionnaire (CAIQ) is a
questionnaire that uses the CCM for cloud vendor information gathering.

The CCM and the CAIQ would be a good option for organizations focused on
improving their GRC program's effectiveness and maturity.

The CCM provides a list of controls that are applicable within a cloud security
context, mapped to many of the regulations in an enterprise's compliance

Page 7 of 9
 7 free GRC tools for compliance
professionals

scope. The CCM can be directly integrated into cloud providers' risk
management reviews or used to connect organizational compliance with
regulatory requirements.

The CAIQ is a standardized information -gathering questionnaire that includes

key questions to ask cloud vendors during risk reviews. This questionnaire can
be incorporated directly into an organization's GRC program and used as part of
vendor risk reviews and evaluations. This can be done either as a supplement
to other information gathering activities -- like organization-specific vendor
questionnaires or generic questionnaires like the Shared Assessments
Standardized Information Gathering -- or as the sole information gathering
vehicle for cloud providers.

There are plenty of free tools that can streamline an organization's GRC
program. Employing free GRC tools to help provide much of the same
functionality as commercial tools will come in at a fraction of the cost. It may
take some creativity and customization to adapt the tools to your usage, but
they can provide just as much value to GRC efforts.

Page 8 of 9
 7 free GRC tools for compliance
professionals

Getting more CW+ exclusive content

As a CW+ member, you have access to TechTarget’s entire portfolio of 140+
websites. CW+ access directs you to previously unavailable “platinum members-
only resources” that are guaranteed to save you the time and effort of having to
track such premium content down on your own, ultimately helping you to solve
your toughest IT challenges more effectively—and faster—than ever before.

Take full advantage of your membership by visiting

www.computerweekly.com/eproducts
Images; stock.adobe.com

© 2020 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without
written permission from the publisher.

Page 9 of 9