Governance, Risk management, and Compliance (GRC) is an emerging corporate specialization that is becoming increasingly important to assist businesses to avoid legal penalties and possible moral censure by increasingly assertive crusading consumer groups.
Not all governance and compliance issues are legal matters but could be acquired aims of the business or an exercise in marketing. However, regular IT systems that guide your business’s core activities probably won’t cover the requirements of the various standards your C-Suite might have decided to follow. You need GRC tools.
Here is our list of the ten best GRC tools:
- SolarWinds Security Event Manager EDITOR’S CHOICE A SIEM service that includes automated compliance risk management, log management, and compliance auditing. It runs on Windows Server. Get a 30-day free trial.
- ManageEngine ADAudit Plus (FREE TRIAL) This software implements activity tracking, which is an important step in compliance reporting. Available for Windows Server, AWS, and Azure. Start a 30-day free trial.
- Datadog Cloud Security Posture Management Part of a cloud-based security platform that offers a tailored risk assessment service.
- Netwrix Auditor A risk assessor that monitors system activities for compliance issues and manages logs for audit trails. It installs on Windows Server and is also available as a cloud platform.
- StandardFusion A cloud-based system assessment and compliance auditing service with a great automated compliance manager.
- IBM OpenPages with Watson A comprehensive cloud-based GRC platform that is priced to be accessible to small businesses as well as large corporations.
- SAI Global BWise GRC Platform A risk management, data protection, and system auditing service that is particularly useful for businesses following GDPR. This is a cloud-based platform.
- ServiceNow Governance, Risk, and Compliance A risk assessment platform that supports the creation of policies and goals and tracks goal achievement. This is a cloud-based system.
- Riskonnect A cloud-based governance guidance platform that includes user awareness training, compliance goals, and audit plan creation.
- BIC GRC Includes risk management automation and oversight plus compliance auditing functions. It is available for Windows Server or Linux.
Whichever standard you are implementing, you need to assess your current system to check whether it is in compliance, make system changes where shortfalls are identified, institute compliant working practices, document all steps, and institute logging around the areas of the business’s system that are particular focuses of the standard.
Information trails need to be built into your systems in order to lay down the source materials for the compliance auditing that standards accreditation usually requires. You will also need to identify potential risk and strategize an incident management plan in case some non-compliant event occurs.
Given that people are prone to error and tend to quickly forget new rules, it is better to formulate system constraints and introduce process automation to ensure that standards requirements are met.
GRC software won’t implement all of the systems that you need in place and the tools that you will need to enforce compliance will vary depending on precisely which standard you are aiming for. However, the GRC tools should highlight gaps in your services that need to be plugged. That gives you a path to follow in order to acquire new software that will get your business in shape.
What do GRC tools do?
Data protection standards usually concern access to certain types of data and how it is used. HIPAA and PCI DSS require that Personally Identifiable Information (PII) should be protected, whereas SOX ensures that corporate financial information isn’t hidden. GDPR compliance requires that the geographical location that data is stored can be restricted and that procedures need to be followed before PII can be moved out of storage locations within the EU to outside the zone.
So, the precise requirements for each standard compliance are different according to which standard is being followed. Therefore, it is best to look for a GRC tool that specifically states that it complies with the specific standard that you are following or that it can be adapted automatically to track compliance to that standard.
Risk management is also adaptable to standards requirements. In performing a risk assessment, you are identifying the risks to specific types of data, which are influenced by the standard. “Governance” is a term that specifically relates to access to and the appropriate use of data, so that also relates to specific standards requirements.
The best GRC tools
What should you look for in a GRC tool?
We reviewed the market for governance, risk management, and compliance software and analyzed the options based on the following criteria:
- A system scanner that can be specifically tailored to a data protection scanner
- A tool that offers templates, workflows, and guidance on enforcing standards
- A system that is able to identify sensitive data stores and track activities in those locations
- Reporting and logging functions
- Auditing tools that tie in with the needs of compliance auditors
- A risk-free assessment period created by a free trial or money-back guarantee
- Value for money from a tool that will ensure the business doesn’t get fined for non-compliance
SolarWinds Security Event Manager is an on-premises software package that performs log management and security scanning. It is a suitable system for ensuring compliance to PCI DSS, GLBA, SOX, NERC CIP, and HIPAA, among other standards.
- Collects log messages
- Consolidates logs
- Stores logfiles
- Searches for attacks
- Compliance reporting
The Security Event Manager works as a log collector and consolidator to create. The log files that the system compiles then feed through to a SIEM system for intrusion detection. Those logs don’t get discarded; they contribute to ongoing system activity tracking and they are also available for compliance auditing. All log files are protected from tampering.
The risk assessment requirements of GRC are covered by vulnerability scans that identify weaknesses, such as out-of-date software. The SIEM system also has a built-in remediation mechanism. The service gives you options over which events should raise alerts for manual analysis and which should trigger automated responses. The SIEM is able to communicate with Active Directory to suspend suspicious user accounts or with firewalls to blacklist IP addresses. All actions taken by the Security Event Manager are logged.
Compliance risk reporting and standards goal auditing can all be tailored within the system towards specific standards requirements. Status and event reports can also have graphical content to improve conformance proof.
- Ensures all system log messages are collected and filed
- Rotates log files with consolidated log messages converted to a common format
- Creates a meaningful logfile directory structure to aid compliance auditing
- Compliance with compliance to PCI DSS, GLBA, SOX, NERC CIP, and HIPAA
- Automated threat hunting plus manual analysis tools
- Not a SaaS package
The Security Event Manager installs on Windows Server and it is available for a 30-day free trial.
SolarWinds Security Event Manager is our top pick for a GRC tool because it is bundled into a SIEM system, so this package offers real value for money. SolarWinds also produces a patch manager and a network configuration manager that can work in sync with the Security Event Manager.
Get a 30-day free trial: solarwinds.com/security-event-manager/registration
Operating system: Windows Server
ManageEngine ADAudit Plus tracks activity on workstations and servers and links those actions to specific user accounts. The package also provides tracking of changes in Active Directory in order to fully ensure that only authorized users and not intruders with self-created fake accounts have access to the system.
- File integrity monitoring
- Active Directory protection
- Activity logging
ADAudit Plus doesn’t include risk analysis or sensitive data detection – it applies access logging for all files. The package raises alerts if changes are made within Active Directory. It is possible to create custom alerts, so if you have a separate sensitive data discovery tool, you could set up alerts for changes to those particular data stores.
The log files that the ADAudit system creates are summarized by a reporting module. This can be tuned to provide compliance reporting for SOX, HIPAA, PCI-DSS, FISMA, and GLBA.
- Lays down the records for compliance reporting
- Links activities to user accounts
- Compliance reporting for SOX, HIPAA, PCI-DSS, FISMA, and GLBA
- This is not a SaaS package
The ManageEngine ADAudit Plus will run on Windows Server and you can also access it as a service on AWS or Azure. The ADAudit Plus package is available in three editions: Free, Standard, and Professional. The Free edition monitors up to 25 workstations and includes compliance reporting, so it’s a good system for small businesses. The Standard edition tracks activity on servers and workstations. Active Directory monitoring is only included in the Professional edition. ManageEngine offers the Professional edition on a 30-day free trial.
Datadog is a cloud platform that offers a menu of system monitoring tools. It has a new range of security tools that are not widely available yet because they are in Beta release, the Cloud Security Posture Management service is among those brand new services.
- Risk assessment
- Tailored to specific standards
- System hardening
- Log management
The Datadog Security Platform works as a suite of tools and includes a log manager and a SIEM system. The Posture Management module is a risk assessor and it can be tailored to look for standards-specific conditions. The risk assessor is a vulnerability scanner. It checks on device settings and recommends how configurations can be tightened up. IT also checks on operating systems and software versions, looking for out-of-date systems that need to be patched.
The security platform is a compliance framework that offers a thorough understanding of data protection standards. It protects and manages all collected log files and stores them for compliance auditing.
- Establishes requirements for data protection standards
- Adjusts system settings to implement data protection standards
- Tracks software versions and implements patching
- Collects, consolidates, and files log messages
- Still under development
Access the Datadog Compliance Monitoring system by using this form.
Netwrix Auditor is a good choice for businesses that are working to PCI DSS, HIPAA, and FISMA standards. The service includes a risk assessor that examines software and operating system versions and device configurations. The tool also assesses user accounts and device permissions for security weaknesses.
- Risk assessment
- Sensitive data management
- Activity tracking
A key part of the Auditor’s service is the tracking of access to sensitive data. The service categorizes folders and files by risk status for compliance requirements and watches and logs access events to those locations. All of the logs collected by Netwrix Auditor and generated by it are stored in a meaningful directory structure, providing rapid access for compliance auditing.
The access and activity tracking services of Netwrix Auditor cover systems on-premises and on the cloud. It is able to check on the configurations and usage of a range of applications, such as databases, Web servers, and email servers. It will also monitor Microsoft Office 365.
- Assess the system and recommends changes to configurations
- Discovers sensitive data and implements protection procedures
- For compliance with PCI DSS, HIPAA, and FISMA
- Not a SIEM system
Netwrix Auditor is offered as on-premises software for installation on Windows Server and also as a hosted cloud service. You can test this file integrity monitoring tool on a 20-day free trial.
StandardFusion is suitable for large corporations and also for smaller enterprises. The system is well-guided and easy to set up. So, it is a good option for businesses that are just starting with standards compliance.
- Guided standards implementation
- Risk assessment
- Sensitive data management
The system can be tailored to fit a number of different data protection standards, including HIPAA, GDPR, PCI-DSS, ISO, SOC2, NIST, CCPA, and FedRAMP. Once you set the system up with the appropriate standard, the system presents a series of questionnaires to help you define the scope of your compliance requirements. The guided service provides a framework for your IT system, including working practices and workflows.
The system performs an automated risk analysis based on the standard required and the questionnaire results. This suggests system aspects that need tightening up, such as patching and configuration adjustments. A nice feature of this system is that it will reassess each change you make to improve security, so you can implement step-change improvements.
- Assesses the system for compliance with a given standard
- Discovers and protects sensitive data
- For compliance with HIPAA, GDPR, PCI-DSS, ISO, SOC2, NIST, CCPA, and FedRAMP
- One of the most expensive packages on this list
StandardFusion provides discovery and event logging plus log management. It can be integrated into Jira, Confluence, Slack, OpenID, DUO, and Google Authenticator. For improved and traceable project management. This is a hosted service and it is available for a 14-day free trial.
IBM OpenPages with Watson is a cloud-based GRC platform that supports operational risk, company policy, standards compliance, IT governance, and system auditing. This system is particularly strong in the oversight of financial data.
- Full GRC for finance
- System risk assessment
- Log management
The IBM system is highly scalable and is priced per user per year. This makes all of the GRC utilities available to small businesses at an affordable price and the fact that the system is hosted means that customers don’t have to worry about finding server space for the software.
This is a very comprehensive system that takes time to work through. It offers a guided implementation of standards conformance and uses AI in its system risk assessment services. The tool also produces reports and recommendations on workflows and practices that need to be put in place to enforce compliance. It is able to manage automated processes to log and secure a system. Those logs are formatted in a suitable storage structure for easy access for auditing.
- Uses AI processes to assess a system and recommend changes
- Adapts its recommendations to generate compliance with a given standard
- Continuous monitoring and system assessments
- Very complicated system
You can get a 30-day free trial of IBM OpenPages with Watson’s Regulatory Compliance Management system.
SAI Global’s BWise GRC platform was previously known as Nasdaq BWise. SAI Global specializes in standards compliance systems and, although based in security was originally Standards Australia, a state-owned agency that was set up to assist businesses to adopt data protection standards.
- Good for GDPR
- Focuses on data management
- Risk analysis
The focus of this system is the use, storage, and movement of data. This makes it particularly useful for businesses that need to implement GDPR, in which the physical location of data storage and the people who access it are extremely important.
The service covers risk assessment, compliance guidelines, and data access auditing. The dashboard for BWise enables standards implementations to be tracked through the business. It also keeps a record of audits over time and their results, enabling the governance manager to set goals towards achieving compliance.
- Performs a risk assessment and generates system adjustment recommendations
- Constantly re-checks to ensure compliance
- Protects sensitive data by tracking user access
- No free trial
You can request a demo of the GRC platform.
ServiceNow integrates risk management into the decision-making processes of businesses. This tool is all about communicating risk assessment in relation to change management and business evolution. It is an integrated collaboration tool centered on risk management and it would be particularly useful as part of a project management strategy.
- Service Desk package
- Built-in GRC
- Risk assessment
The platform helps you set a corporate strategy for issues, such as standards compliance. You will then create an implementation project, with intermediate goals and the ServiceNow system tracks the team’s performance in reaching those staging points.
ServiceNow is primarily a service desk system and the GRC module is probably better used as part of the wider ServiceNow DevOps support environment. The system offers business managers a range of risk assessment tools that include the evaluation of new suppliers, the value of taking on new clients, or the risk involved in entering new markets, as well as its ability to track standards compliance.
- A GRC module for the ServiceNow Service Desk system
- Automated and manual tools for risk assessment
- System compliance checks
- No free trial
The ServiceNow GRC is available for a demo.
Riskonnect focuses on risk management and it has a very slick dashboard that presents risk issues from a range of angles. This service isn’t just aimed at standards compliance. It is primarily aimed at assessing insurable risk but it can be tailored towards data protection standards.
- Risk assessment
- Tailored for specific standards
- Procedural data protection
The risk management functions of Riskconnect are a little different from those practiced by other GRC tools on this list. Its angle is more about working practices and user training for awareness than system vulnerability. This service is very strong on procedural data protection and the creation of automated processes to protect data. In short, this tool is firmer support for the Governance aspect of GRC and could possibly benefit from partnering with an event-focused SIEM.
Riskonnect will help you formulate audit plans and, thus, show how to organize audit trails. It has an excellent reporting module that illustrates the route to compliance and goals that have been achieved or missed.
- Produces recommendations for changes to working practices
- Provides staff training to implement safe working practices
- Supports the creation of auditing procedures
- Mainly administrative recommendations for manual actions
You can ask for a demo of this cloud-based service.
GBTEC BIC Platform is a data mining system that has developed a GRC package from its log management and information locator services. GBTEC is a German company and its services are particularly strong for GDPR compliance.
- Log management
- SaaS or on-premises
- Activity tracking
The GRC package is centered on guides and goal-setting systems that drive the compliance preparation process. The system will locate sensitive data stores and recommend how they can be reorganized, protected, and monitored. It also performs system sweeps to risk assessment.
Once the service is operational, it gathers logs and stores them logically, making event data available for automated analysis much in a way that a SIEM operates. BIC GRC helps in the creation of activity logging, process automation, and business rules management for standards compliance goals. The service also includes audition functions.
- Collects, consolidates, and stores log files
- Compiles user activity assessments from log data
- Alerts to inappropriate data access
- A supervision tool rather than an automated data protection system
BIC Platform is offered as a SaaS bundle and the software can also be acquired for installation on Windows Server. The service is offered on a 30-day free trial.