Professional Documents
Culture Documents
One way to help mitigate this is to use free and open source tools to automate
portions of governance, risk and compliance (GRC) activities. Open source, free
GRC tools have advantages from a procurement standpoint.
Nothing will completely remove implementation costs -- no matter how much the
software costs, someone needs to install and configure it -- but the initial budget
Page 1 of 9
7 free GRC tools for compliance
professionals
hit will be small and require little or no upfront investment. This can mean that
compliance professionals have access to a tool their organization would
otherwise have to buy that they can instead use in the short term in parallel to
the budget cycle.
There are a few options of open source tools that may help some elements of
GRC. Every tool won't be appropriate for every organization, and there are
dozens, if not hundreds, of others. However, let's focus on free GRC tools that
can have an immediate benefit to GRC efforts in the majority of organizations:
audit management, control validation and resources for the cloud.
Some of the free GRC tools in this category are Redmine, OTRS and Mantis, all
of which are open source issue tracking, documentation and workflow platforms.
Page 2 of 9
7 free GRC tools for compliance
professionals
OTRS includes ticket creation and resolution workflow, team chat and
collaboration capability, issue resolution history and mobile-friendly UI.
A bug and feature tracking tool like Redmine -- which is included in the default
repository of distributions like Debian -- can be customized and used for man y
of the same purposes as an AMS. This includes managing issues, tracking
remediation progress, retaining a record of work effort such as audit work
papers and general internal information sharing.
For example, the screenshot below illustrates how you migh t create a new
project within Redmine to track a discreet audit task, such as testing validation
activities for an audit of a hybrid cloud virtual environment.
Page 3 of 9
7 free GRC tools for compliance
professionals
Organizations can use almost any issue tracker to do much of this. They might
instead prefer a similar tool like OTRS or Mantis.
Page 4 of 9
7 free GRC tools for compliance
professionals
These three products are noteworthy because they offer significant flexibility
and customization in how issues are tracked and workflow support.
You won't get all the comprehensive features of a commercial AMS with an
approach like this, since these are designed around a specific use case. But
80% of the functionality is usually better than 0% when you can't get traction
any other way.
One of the many GRC program challenges, regardless of size, is the ongoing
management and validation of the technical controls implemented to enforce
policy decisions. Implementing a control as a risk management decision is one
thing. Being able to prove that it's working is another.
Some of the tools used for asset management can be co-opted to provide data
on technical control operation, similar to functionalities found in IT GRC tools.
A couple of these tools that are worth noting include OpenVAS, or Open
Vulnerability Assessment System, an open source vulnerability scanning tool,
and GLPI, an open source asset management and inventorying tool.
Page 5 of 9
7 free GRC tools for compliance
professionals
Page 6 of 9
7 free GRC tools for compliance
professionals
You can also use asset management-focused tools to help in a similar vein.
Asset management tools like GLPI can provide configuration-related details that
can support auditing, providing additional details about hosts such as software
inventory on the host or other information not available during a vulnerability
scan.
This last example isn't a software tool, but still can be a useful addition to most
organizations' GRC program.
Many companies make heavy use of the cloud. The Cloud Security Alliance
provides a suite of related resources in its GRC Stack that can be useful when it
comes to assessing, validating and otherwise ensuring that cloud is employed in
a manner commensurate with your organization's risk tolerances.
While all of the sub-areas within the GRC Stack are useful, two are particularly
helpful: Cloud Controls Matrix (CCM) is a matrix of controls applicable for cloud
environments, and Consensus Assessments Initiative Questionnaire (CAIQ) is a
questionnaire that uses the CCM for cloud vendor information gathering.
The CCM and the CAIQ would be a good option for organizations focused on
improving their GRC program's effectiveness and maturity.
The CCM provides a list of controls that are applicable within a cloud security
context, mapped to many of the regulations in an enterprise's compliance
Page 7 of 9
7 free GRC tools for compliance
professionals
scope. The CCM can be directly integrated into cloud providers' risk
management reviews or used to connect organizational compliance with
regulatory requirements.
There are plenty of free tools that can streamline an organization's GRC
program. Employing free GRC tools to help provide much of the same
functionality as commercial tools will come in at a fraction of the cost. It may
take some creativity and customization to adapt the tools to your usage, but
they can provide just as much value to GRC efforts.
Page 8 of 9
7 free GRC tools for compliance
professionals
© 2020 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without
written permission from the publisher.
Page 9 of 9